How to let non-admins manage selected domain groups' membership?

active-directory group-policy windows-server-2012-r2 groups
32,436

Solution 1

You can specify the managedBy attribute, and check the box for "Manager can update membership list". (This grants write permission for the Member attribute.)

The person(s) who need to edit the group may be able to do it with the DSQuery widget, for which you can create the following shortcut:

rundll32 dsquery,OpenQueryWindow

They can search for the group as with AD Users and Computers, then edit the properties, and Add members.

It may be possible to do this with Outlook (if the group is mail-enabled), but that can be more fragile if you have a multiple domain environment.

ManagedBy

enter image description here

Solution 2

In Windows 10, (as well as Windows 8, I believe), you can open File Explorer, select Network from the left navigation pane, select the Network Tab that appears in the ribbon at the top of the window, then choose the Search Active Directory option. A user should then be able to search for an AD group that it has permissions to update and add/remove members.

Share:
32,436

Related videos on Youtube

Bard
Author by

Bard

Updated on September 18, 2022

Comments

  • Bard
    Bard over 1 year

    I'm on Windows Server 2012, Active Directory is on and working. All the project we manage have 2 dedicated groups, one for managers with access to all related files (including invoices, timetables and whatever they need to manage the project, or at least I guess, it could be a bunch of animated gifs for all I know) and one for the people that actually work on the project with access to only the files of the project itself.

    I need to let some project managers control the membership of the groups that allow file access to their projects. They should not be able to edit any other aspect of the group. And ideally it should be using a GUI of some kind, because it will be hard enough to explain it that way, but worst case scenario I can script one.

    I added the managing group to the "Managed By" tab of the managed group, with "Manager can update membership list" enabled, and this looked easy enough. But..

    1. Should I let the managing group let see the whole user list? If so, how?
    2. How and where should the managing group members log in to edit the group membership?
  • Bard
    Bard about 9 years
    Thanks this is working perfectly, also it should be easy enough to explain to the people in charge of each group. (It won't be, but a guy can still hope)
  • Tridus
    Tridus almost 7 years
    This works in Windows 7 as well.
  • Fütemire
    Fütemire almost 6 years
    You could also just type in the exact name(s) of the group(s), perform a search, then go to File>Save Search and send them the .qds file for them to place on their desktop.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Setting disk quotas with Active Directory
GPO aren't being applied for some users only because of slow link
how to fix remote desktop access in Windows Server 2012 R2
Machine/Computer Groups in Active Directory
Disable password complexity on Windows 2012 R2
GPUpdate failing due to LDAP Bind Issue
How do I remove a group policy without access to the domain (controller)?
Why should you disable network login for local accounts?
How can I get rid of the "Do you trust this printer" message box and add my printer via GPO?
GPOs fail to apply; reason: Inaccessible, Empty, or Disabled; Server 2012 R2 and Windows 10