IT tutorials
 
Technology
 

Active Directory 2008 : Administering Groups in an Enterprise (part 2) - Delegating the Management of Group Membership

8/13/2013 9:55:25 AM
- Free product key for windows 10
- Free Product Key for Microsoft office 365
- Malwarebytes Premium 3.7.1 Serial Keys (LifeTime) 2019

3. Delegating the Management of Group Membership

After creating a group, you might want to delegate the management of the group’s membership to a team or an individual who has the business responsibility for the resource that the group manages.

For example, let’s assume that your finance manager is responsible for creating next year’s budget. You create a shared folder for the budget and assign Write permission to a group named ACL_Budget_Edit. If someone needs access to the budget folder, he or she contacts the help desk to enter a request, the help desk contacts the finance manager for business approval, and then the help desk adds the user to the ACL_Budget_Edit group. You can improve the responsiveness and accountability of the process by allowing the finance manager to change the group’s membership. Then users needing access can request it directly from the finance manager, removing the intermediate step of contacting the help desk.

To delegate the management of a group’s membership, you must assign to the finance manager the Allow Write Member permission for the group. The member attribute is the multivalued attribute that is the group’s membership.

Delegating Membership Management with the Managed By Tab

The easiest way to delegate membership management of a single group is to use the Managed By tab of a group object’s Properties dialog box, shown in Figure 3.

The Managed By tab of a group’s Properties dialog box

Figure 3. The Managed By tab of a group’s Properties dialog box

The Managed By tab serves two purposes. First, it provides contact information related to the manager of a group. You can use this information to contact the business owner of a group to obtain approval prior to adding a user to the group.

The second purpose served by the Managed By tab is to manage the delegation of the member attribute. Note the Manager Can Update Membership List check box shown in Figure 3. When this check box is selected, the user or group shown in the Name box is given the Allow Write Member permission. If you change or clear the manager, the appropriate change is made to the group’s ACL.

Note

CLICK OK

This is another of the strange and rare places in which you must actually click OK to implement the change. Clicking Apply does not change the ACL on the group.

It is not quite so easy to insert a group onto the Managed By tab of another group. When you click Change, the Select User, Contact, Or Group dialog box appears. If you enter the name of a group and click OK, an error occurs. That’s because this dialog box is not configured to accept groups as valid object types, even though Group is in the name of the dialog box itself. To work around this odd limitation, click Object Types, and then select the check box next to Groups, as shown in Figure 4. Click OK to close both the Object Types and Select dialog boxes. Be sure to select the Manager Can Update Membership List check box if you want to assign the Write Member permission to the group. When a group is used on the Managed By tab, no contact information is visible because groups do not maintain contact-related attributes.

Selecting a group for the Managed By tab

Figure 4. Selecting a group for the Managed By tab

After you have delegated group membership management, users do not require Active Directory Users And Computers to modify the membership of the group. A user can simply use the Search Active Directory capability of Windows clients to find the group, and then change its membership.

To find a group:

  1. Click Start, and then click Network.

  2. Click the Search Active Directory button on the toolbar.

  3. Type the name of the group and click Find Now.

Delegating Membership Management Using Advanced Security Settings

You can use the Advanced Security Settings dialog box to assign the Allow Write Member permission directly. You can assign the permission for an individual group or for all the groups in an OU.

To delegate the management of membership for an individual group, perform the following steps:

  1. In the Active Directory Users And Computers snap-in, click the View menu and make sure Advanced Features is selected.

  2. Right-click the group’s name and choose Properties.

  3. On the Security tab, click Advanced.

  4. In the Advanced Security Settings dialog box, click Add.

    If the Add button is not visible, click Edit, and then click Add.

  5. In the Select Users, Contacts, Service Account, Or Group dialog box, enter the name for the group to which you want to grant permission, or click Browse to search for the group. When you are finished, click OK.

    The Permission Entry dialog box appears.

  6. On the Properties tab, in the Apply To list, choose This Object And All Descendant Objects.

  7. In the Permissions list, select the Allow check boxes for the Read Members and Write Members permissions.

    By default, all users have the Read Members permission, so that permission is not required. However, role-based access control is best implemented by assigning all the permissions required to achieve the desired capability, rather than relying on permissions assigned indirectly.

    Figure 5 shows the resulting Permission Entry dialog box.

    The Permission Entry dialog box showing the delegation of group membership management for a group

    Figure 5. The Permission Entry dialog box showing the delegation of group membership management for a group

  8. Click OK to close each of the security dialog boxes.

To delegate the ability to manage membership for all groups in an OU, perform the following steps:

  1. In the Active Directory Users And Computers snap-in, click the View menu and make sure Advanced Features is selected.

  2. Right-click the the OU and then choose Properties.

  3. On the Security tab, click Advanced.

  4. In the Advanced Security Settings dialog box, click Add.

    If the Add button is not visible, click Edit, and then click Add.

  5. In the Select dialog box, enter the name for the group to which you want to grant permission, or click Browse to search for the group. When you are finished browsing, click OK.

    The Permission Entry dialog box appears.

  6. On the Properties tab, in the Apply To list, choose Descendant Group Objects.

  7. In the Permissions list, select the Allow check boxes for the Read Members and Write Members permissions.

    By default, all users have the Read Members permission, so that permission is not required. However, role-based access control is best implemented by assigning all the permissions required to achieve the desired capability, rather than relying on permissions assigned indirectly.

    Figure 6 shows the resulting Permission Entry dialog box.

    The Permission Entry dialog box showing the delegation of group membership management for all groups in the Groups OU

    Figure 6. The Permission Entry dialog box showing the delegation of group membership management for all groups in the Groups OU

  8. Click OK to close each of the security dialog boxes.
 
Others
 
- Active Directory 2008 : Administering Groups in an Enterprise (part 1) - Protecting Groups from Accidental Deletion
- Active Directory 2008 : Automating the Creation and Management of Groups (part 2)
- Active Directory 2008 : Automating the Creation and Management of Groups (part 1)
- Managing Exchange Server 2010 Features for Mobile Devices (part 8) - Understanding and Using WebReady Document Viewing
- Managing Exchange Server 2010 Features for Mobile Devices (part 7) - Understanding and Configuring Remote File Access
- Managing Exchange Server 2010 Features for Mobile Devices (part 6) - Understanding and Configuring Direct File Access
- Managing Exchange Server 2010 Features for Mobile Devices (part 5) - Understanding and Using Remote Device Wipe
- Managing Exchange Server 2010 Features for Mobile Devices (part 4) - Understanding and Using Exchange ActiveSync Mailbox Policy - Assigning Exchange ActiveSync Mailbox Policies
- Managing Exchange Server 2010 Features for Mobile Devices (part 3) - Understanding and Using Exchange ActiveSync Mailbox Policy - Optimizing Exchange ActiveSync Mailbox Policies
- Managing Exchange Server 2010 Features for Mobile Devices (part 2) - Understanding and Using Exchange ActiveSync Mailbox Policy - Creating Exchange ActiveSync Mailbox Policies
 
 
Top 10
 
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 2) - Wireframes,Legends
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Finding containers and lists in Visio (part 1) - Swimlanes
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Formatting and sizing lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Adding shapes to lists
- Microsoft Visio 2013 : Adding Structure to Your Diagrams - Sizing containers
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 3) - The Other Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 2) - The Data Properties of a Control
- Microsoft Access 2010 : Control Properties and Why to Use Them (part 1) - The Format Properties of a Control
- Microsoft Access 2010 : Form Properties and Why Should You Use Them - Working with the Properties Window
- Microsoft Visio 2013 : Using the Organization Chart Wizard with new data
Technology FAQ
- Is possible to just to use a wireless router to extend wireless access to wireless access points?
- Ruby - Insert Struct to MySql
- how to find my Symantec pcAnywhere serial number
- About direct X / Open GL issue
- How to determine eclipse version?
- What SAN cert Exchange 2010 for UM, OA?
- How do I populate a SQL Express table from Excel file?
- code for express check out with Paypal.
- Problem with Templated User Control
- ShellExecute SW_HIDE
programming4us programming4us