I have a service user (normal user in Active Directory) called user1
used by our custom application to manage some aspects of Active Directory used in the company.
I've created a Security group called AD Operators
that the user1
has been added to.
I need user1
to be able to manage other group membership within the Active Directory. For this, I've added the AD Operators
group as a manager via "Managed By" tab to all the groups in question. I've also ticked the "Manager can update membership list checkbox.
However, when the code run with user1
's credentials, and try to save the updated group membership list, I get an Access denied error from the AD. But if I specify user1
as a group manager in "Managed By" instead of specifying an entire AD Operators
group, the same code can update the group just fine.
How can I let all particular security group members to be able to manage the membership of other groups in an AD?
Best Answer
This may not the appropriate interface to provide the management delegation which you are seeking. The appropriate means by which the management of group memberships should be controlled is by delegating control via the Delegation of Control Wizard.
You should use this tool and interface to grant the "AD Operators" security group the allow "write members" permission; or - if being guided by the wizard - you can select the "Modify the membership of a group" common task.
You should take note of a couple of caveats: