Delegate Security Group Assign Permissions

Hello,

We are revising our security groups and delegations but are struggling with one problem:

We want to delegate permissions to assign existing security groups for our users (excluding users with administration permissions). The problem is that we have a structure of different OU's that we do not want to change in any way.

Our structure is (actual naming differs):

-- Groups
---- Delegation
---- Roles
-- Users
---- Administrative Users
---- Normal Users

We want to delegate the Servicedesk users (which are located in Administrative Users) to be able to assign Members / Members Of for the Normal Users (so not the Administrative Users).

If you delegate control on the OU called Normal Users, it will only work with Security Groups located in Normal Users itself but all the Security Groups are under the Groups OU's. If you add the delegated permissions on the Groups OU aswell, it works but this also gives permissions to edit Administrative Users.

The permissions I applied are:
Read Members and Read Members Of
Write Members and Write Members Of

We try to avoid using deny permissions also because those can be a nuissance later on.

I hope that I made our situation clear and I hope that someone knows a good solution for our case.

Thanks in advance.

February 13th, 2015 7:03pm

Hi,

Thanks for your post.

Please refer to this article for delegation Active Directory Permissions To Only Manage Users, Computers, Group Policy and OUs

http://www.randomtechtips.com/delegate-active-directory-permissions-to-only-manage-users-computers-group-policy-and-ous/

Regards.

Free Windows Admin Tool Kit Click here and download it now
February 17th, 2015 7:47am

Hi,

Thank you for your reply but this is not very helpful for me because I know how to delegate with the specific options to select but our problem lies in our OU structure that we have to work way. And the problem is that the groups and users are in seperate OU's.

Our structure is (actual naming differs):

-- Groups
---- Delegation
---- Roles
-- Users
---- Administrative Users
---- Normal Users

We want to delegate the Servicedesk users (which are located in Administrative Users) to be able to assign Members / Members Of for the Normal Users (so not the Administrative Users).

The applied groups for the users however are located in the Delegation and Roles OU's.

Assigning it to the 'Normal Users' OU only is not enough because this gives them permissions to only change the members / members of settings for groups located in the Normal Users OU only.

February 18th, 2015 6:47am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics