Hello,
We are revising our security groups and delegations but are struggling with one problem:
We want to delegate permissions to assign existing security groups for our users (excluding users with administration permissions). The problem is that we have a structure of different OU's that we do not want to change in any way.
Our structure is (actual naming differs):
-- Groups
---- Delegation
---- Roles
-- Users
---- Administrative Users
---- Normal Users
We want to delegate the Servicedesk users (which are located in Administrative Users) to be able to assign Members / Members Of for the Normal Users (so not the Administrative Users).
If you delegate control on the OU called Normal Users, it will only work with Security Groups located in Normal Users itself but all the Security Groups are under the Groups OU's. If you add the delegated permissions on the Groups OU aswell, it works but this also gives permissions to edit Administrative Users.
The permissions I applied are:
Read Members and Read Members Of
Write Members and Write Members Of
We try to avoid using deny permissions also because those can be a nuissance later on.
I hope that I made our situation clear and I hope that someone knows a good solution for our case.
Thanks in advance.