This is for a 2003 AD environment. I have a helpdesk user that has permissions to change user's passwords. This is easily assigned at the OU level. Is there a way to assign a similar permission to allow the user to change group membership? I see the "Managed By" option on each group, but changing each one individually is a lot of work. Also, would the "Managed By" option give the desired result?

Hiya, You can delegate control to OU. Right click your OU and select deletegate control. Here is an article that should describe it: http://www.tech-faq.com/how-to-delegate-administrator-privileges-in-active-directory.html

Using the Delegation of Control Wizard, you would assign the permission of "Modify the Membership of a Group". Rather than running this wizard for a single user, I would recommend that you create a group and add users that need this permission to that group. This way, you only have to run this delegation task one time. As you need to add/remove users from this responsibiliity, you simply change the membership. Visit: anITKB.com, an IT Knowledge Base.