Re: Delegate Authority

You should delegate group membership control at some OU and then
have within that OU (or its subOUs) only the groups which you want to
allow those delegated to control (mve the rest of the groups elsewhere).

--
Roger Abell
Microsoft MVP (Windows Server : Security)

"Les Arrowman" <LesArrowman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4E7659EF-132F-46BD-B2C4-828F83634F21@xxxxxxxxxxxxxxxx
>I brought up the great idea of removing the help desk folks from the Domain
> Admins group. I want to delegate certain roles to the HD folks by putting
> them in group named 'SupportAdmins' or something similar.
>
> If I give this group add/remove group memberships for an OU, say
> 'Organization' which then has all the subOU's for the various departments.
> I
> do NOT want the group inside the Organization OU as then have the ability
> to
> kick eachother out of the group or attempt to add the SupportAdmins groups
> to
> the Domain Admins group again correct? (Someone before I got here moved
> the
> DomAdm group to the Organization OU)
>
> In other words, should I make an OU outside of Organization named
> 'Delegates' and create the SupportAdmins group in there.


.

Relevant Pages

  • Re: Is it possible,,,
    ... In order to delegate the user rights to modify a group membership, ... ability to create users or groups, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Delegate Authority
    ... Domain Admins is protected from delegatation with the adminsdholder functionality, you can move that group into any OU you want and the delegation in that OU will not allow someone to modify the group. ... I want to delegate certain roles to the HD folks by putting them in group named 'SupportAdmins' or something similar. ... I do NOT want the group inside the Organization OU as then have the ability to kick eachother out of the group or attempt to add the SupportAdmins groups to the Domain Admins group again correct? ...
    (microsoft.public.win2000.security)