Monday, September 26, 2016

3 Easy Ways To Grant the rights to modify AD group membership and be Successful

Posted By: The Funky Tech Guy - 7:17:00 AM

Share

& Comment




Problem:




You would like to grant a non domain admin user the rights or permissions ,e.g your servicedesk staff, the ability to modify the group membership but only of certain groups.
There are two very easy ways of doing this and a third more granular approach if required.

Pre-requisites:




Ensure you have created an AD group and assign your users you want to grant access to this group. If possible, create a separate OU to house all the groups you intend to give rights to.

Option 1 - Delegation of Control

  1. Right click the OU where the groups are and click Delegate Control… then click Nextimage
  2. Select your AD Group

    image
  3. Select Modify the membership of a group and click next

    image
  4. Click Next and Finish

Option 2 – Managed By

Note: you can use this on an OU or individual group.
  1. Right the same OU then click Properties
  2. Click the Managed By tab then click the Change… button

    image
  3. Specify your group and click OK

Option 3 – Using the security tab



If you need to be more granular,do it this way as it allows you to see exactly what permissions are associated with a given task and you can add additional permissions.
  1. Right click either the OU or specific group you would like to grant access or modify right to
  2. Click Properties
  3. Click the Security Tab
  4. Click Advanced
  5. Click Add
  6. Select your Group
  7. On the Object tab Select Descendant Group Objects and enable:
    • Read Members
    • Write Members


      image
  8. Click OK until all windows are closed
That's it

Hope this has been informative. If you have any comments or questions do so below.

About The Funky Tech Guy

The Funky Tech Guy is a publication/blog that comprises primarily of articals and how tos relating to Information Technology.I have been in the IT industry since 2001 and can easliy say that IT is my passion. The primary focus of this site is to share some of the knowledge and experiences I've gained.

4 comments :

Randip Malakar said...

Hi,

I was looking for the third option - granular way.

Thanks for this article. Now I have the answer.

Thanks,
Randip Malakar


The Funky Tech Guy said...

Thank you for the feedback Randip. It always helps to know different ways of accomplishing a task.

Anonymous said...

What about granting the rights in Windows Server 2012 R2 AD environment? There are no longer that checkboxes present mentioned in 3 method.

The Funky Tech Guy said...

In a Windows 2012/R2 environment, it would work the same. It's still applicable.

Copyright © 2013 The Funky Tech Guy ™ is a registered trademark.

Designed by Templateism . Built with Blogger Templates .