How to allow security group members to manage other group membership in Active Directory
This may not the appropriate interface to provide the management delegation which you are seeking. The appropriate means by which the management of group memberships should be controlled is by delegating control via the Delegation of Control Wizard.
You should use this tool and interface to grant the "AD Operators" security group the allow "write members" permission; or - if being guided by the wizard - you can select the "Modify the membership of a group" common task.
You should take note of a couple of caveats:
- Delegation is done at the Container/OU level.
- Permissions on Directory objects generally flow and are inherited much the same way as file system permissions do.
Related videos on Youtube
Comments
-
Maxim V. Pavlov almost 2 years
I have a service user (normal user in Active Directory) called
user1
used by our custom application to manage some aspects of Active Directory used in the company.I've created a Security group called
AD Operators
that theuser1
has been added to.I need
user1
to be able to manage other group membership within the Active Directory. For this, I've added theAD Operators
group as a manager via "Managed By" tab to all the groups in question. I've also ticked the "Manager can update membership list checkbox.However, when the code run with
user1
's credentials, and try to save the updated group membership list, I get an Access denied error from the AD. But if I specifyuser1
as a group manager in "Managed By" instead of specifying an entireAD Operators
group, the same code can update the group just fine.How can I let all particular security group members to be able to manage the membership of other groups in an AD?
-
Maxim V. Pavlov about 6 yearsHi. Thanks. I’ll give it a try in the morning and will report back. The inheritance-based nature of the wizard config is fine in my scenario as all the targeted groups are located under a distinct OU.