Allow End User to Modify Domain-Based Security Group
My organization runs Windows Server 2008 R2 domain controllers and Windows 7 clients. End users are administrators on their own workstations. Is there a way in Windows 7 to allow end users to modify domain-based security group membership for groups which they manage? I'd prefer for end users to use something built into the OS (i.e., go to the command line or via a GUI) rather than install additional software. In Windows XP users can go to the search GUI and modify domain-based security group membership there. I haven't found a similar way to modify domain-based security groups in Windows 7.
March 3rd, 2011 2:16pm

Please delegate to these users the right to modify your domain groups. Also, they can use command lines to modify a user group membership. This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. Microsoft Student Partner Microsoft Certified Professional Microsoft Certified Systems Administrator: Security Microsoft Certified Systems Engineer: Security Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
Free Windows Admin Tool Kit Click here and download it now
March 3rd, 2011 2:32pm

Thanks for the reply. I have delegated security groups already by specifying certain users as security group managers and giving them the ability to update groups. Regarding the command-line utilities you referenced, these are the Directory Service Admin Tools, which are not built-into the OS and provide greater functionality than I want end users to have access to. Is there a way for domain users to modify domain security groups in Windows 7 without using server administrator-level utilities (i.e., RSAT)?
March 3rd, 2011 2:38pm

Hi, Thanks for posting in Microsoft TechNet Forum. As we all know, Windows XP and Windows 7 are different. In comparison with Windows XP, Windows 7 adds many new functions and cancels some items, thus we cannot guarantee a tool or a feature which built in Windows XP would still work in Windows 7. Meanwhile, I would like to ask what you want to achieve ultimately. Maybe we can find a workaround for you. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 7th, 2011 5:47am

Hi, I just wanted to say Hi! Please do not hesitate to let me know if you have any further concerns or questions regarding the issue. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.com Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
March 9th, 2011 8:29pm

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as ‘Answered’ as the previous steps should be helpful for many similar scenarios. If the issue still persists, please feel free to reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. BTW, we’d love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks for your understanding and efforts. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 16th, 2011 2:21am

Hi Alex, Regarding what I want to achieve ultimately, I want to allow end users to update domain-based security groups without having to install the RSAT utilities on their machines, as handing the RSAT utilities to end users is dangerous. By providing end users the ability to update domain-based security groups, I will effectively off load this task to end users and reduce the number of calls to the help desk and reduce response times for end users. Thanks.
March 23rd, 2011 12:33pm

Hi, As my understanding, all domain users have read access to domain objects within AD Users and Computers unless someone has delegated more or less rights to a specific user or group of users. Currently, I would recommend the following: 1. Delegate proper permission to the group of people which should be able to modify Domain based security group. 2. Create a customized MMC console. 3. Distribute the customized MMC console. Meanwhile, this issue is related to Windows Server, it is recommended to post to Windows Server forum for further help: Windows Server Category The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Alex Zhao TechNet Subscriber Support in forum. If you have any feedback on our support, please contact tngfb@microsoft.comPlease remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
Free Windows Admin Tool Kit Click here and download it now
March 25th, 2011 12:57pm

Thanks Alex. If I distribute an MMC, would it not require the Active Directory Users and Computers snap-in, which in turn requires the RSAT to be installed on the Windows 7 client workstation? If you feel like moving this thread to the Windows Server forums, feel free. I feel the topic is just as related to Windows 7, so I can see it going in either location.
March 26th, 2011 12:56am

Hi, You will require RSAT. However, only permitted users will have access to AD objects. However, have you given using Remote Powershell? it won't require you to install RSAT. The steps would be to create a remote session & enter into the session. I haven't tested this but this could be the approach. can you try that out?KetanT | Microsoft
Free Windows Admin Tool Kit Click here and download it now
March 29th, 2011 8:03am

Ketan, I haven't tried using Remote Powershell as I'm looking for a built-in GUI-based method that an end user can use to modify domain-based security groups. The average end user does not know how to use a command line utility. Unfortunately, it looks like Microsoft removed the built-in GUI-based capability for modifying security groups that was present in XP. I am not comfortable with giving end users access to the RSAT. I'll leave your proposed answer as it looks like my original question was answered, albeit with solutions I do not prefer to use.
April 21st, 2011 11:06am

Hi, You are actually looking for a way to access dsa.msc without RSAT which is not possible in windows Vista and above If it worked in XP, note that in XP also you needed to install ADMINPAK located here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3 You can use either powershell or needs to install RSAT or make a custom GUI which does a LDAP bind to the DC to modify the groupsKetan Thakkar | Microsoft Online Community Support
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2011 5:32am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics