Problem:
You would like to grant a non domain admin user the rights or permissions ,e.g your servicedesk staff, the ability to modify the group membership but only of certain groups.
There are two very easy ways of doing this and a third more granular approach if required.
Pre-requisites:
Ensure you have created an AD group and assign your users you want to grant access to this group. If possible, create a separate OU to house all the groups you intend to give rights to.
Option 1 - Delegation of Control
- Right click the OU where the groups are and click Delegate Control… then click Next
- Select your AD Group
- Select Modify the membership of a group and click next
- Click Next and Finish
Option 2 – Managed By
Note: you can use this on an OU or individual group.- Right the same OU then click Properties
- Click the Managed By tab then click the Change… button
- Specify your group and click OK
Option 3 – Using the security tab
If you need to be more granular,do it this way as it allows you to see exactly what permissions are associated with a given task and you can add additional permissions.
- Right click either the OU or specific group you would like to grant access or modify right to
- Click Properties
- Click the Security Tab
- Click Advanced
- Click Add
- Select your Group
- On the Object tab Select Descendant Group Objects and enable:
- Click OK until all windows are closed
Hope this has been informative. If you have any comments or questions do so below.
Comments
I was looking for the third option - granular way.
Thanks for this article. Now I have the answer.
Thanks,
Randip Malakar