I'm on Windows Server 2012, Active Directory is on and working. All the project we manage have 2 dedicated groups, one for managers with access to all related files (including invoices, timetables and whatever they need to manage the project, or at least I guess, it could be a bunch of animated gifs for all I know) and one for the people that actually work on the project with access to only the files of the project itself.
I need to let some project managers control the membership of the groups that allow file access to their projects. They should not be able to edit any other aspect of the group. And ideally it should be using a GUI of some kind, because it will be hard enough to explain it that way, but worst case scenario I can script one.
I added the managing group to the "Managed By" tab of the managed group, with "Manager can update membership list" enabled, and this looked easy enough. But..
- Should I let the managing group let see the whole user list? If so, how?
- How and where should the managing group members log in to edit the group membership?
Best Answer
You can specify the managedBy attribute, and check the box for "Manager can update membership list". (This grants write permission for the Member attribute.)
The person(s) who need to edit the group may be able to do it with the DSQuery widget, for which you can create the following shortcut:
They can search for the group as with AD Users and Computers, then edit the properties, and Add members.
It may be possible to do this with Outlook (if the group is mail-enabled), but that can be more fragile if you have a multiple domain environment.