Managed by AD Groups

Hi Experts,

I am trying to allow project managers to delegate permissions to their teams by adding and removing members from groups using AD, the dsquery tool and the managed by option for groups

I found the following article which was fantastic

https://serverfault.com/questions/683152/how-to-let-non-admins-manage-selected-domain-groups-membership

However, when testing this as a test user, i'm finding that no matches are returned when searching for a group.
Are there any special permissions required to perform a search?

I obviously only want to grant the users the bare minimum permissions in order to achieve this, so presently they are only domain users and members of a PM group which has permissions to some of the other access groups under the managed by field

Any ideas?

Kind Regards
LVL 4
James GlenIT EngineerAsked:
Who is Participating?
 
James GlenConnect With a Mentor IT EngineerAuthor Commented:
Found the issue. There was a GPO confusing matters
Maximum size of active directory searches which was set to 0
0
 
MaheshArchitectCommented:
No special permissions are required
by default users can view all objects in Ad as authenticated users
u need to select entire directory as search scope and group names should be correct for search
if groups are added in ou where u have restricted other users permissions by disabling inheritance, u will not be able to search
0
 
Vikas BhatExperienced IT Infrastructure Services/operations ManagerCommented:
Could you please clarify more, "no matches are returned when searching for a group" where are you searching. I assume that it is users outlook and in that case if you have followed all the steps then you can correct the group scopegroup scope as shown in the picture.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
James GlenIT EngineerAuthor Commented:
@Mahesh
Definitely searching the entire directory, and inheritance is enabled

@Vikas Bhat
Using the following tool
rundll32 dsquery,OpenQueryWindow
The groups are global security
0
 
James GlenIT EngineerAuthor Commented:
Also, more confounding, as the user, i can browse the folder directory using the tool. Its just the groups themselves that do not appear
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
I would not use that. Install RSAT's DSA (Users and Computers) on these PM's computers
0
 
James GlenIT EngineerAuthor Commented:
Hi Shaun,

Any particular reason why you don't recommend DSQuery? And what would be the advantage of using RSAT's DSA?

Kind Regards
0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
RSAT's DSA is the preferred method to interact with AD, especially if certain functions are not woring
0
 
James GlenIT EngineerAuthor Commented:
Resolved the issue myself
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.