We have a Windows 2008R2 server which runs Active Directory on it, I have written a C# application that will allow the IT staff to add new users to AD from it. I have no problems creating or updating users but when it comes time to add them to different security groups I am running into permission problems. After working with IT we found that I need to have Read, Write, Create Child Objects, and Delete Child Objects. This is now working fine when we specify these permissions directly to the security group but if we apply these same permissions at the OU level then I am unable to modify the members of individual groups. Can anyone help us figure out what permissions needed to be granted at the OU level so that I can add/remove members from any group in that OU?
2 Answers
An Access Control Entry is needed to grant the specified security principal permission on Descendant Group Objects to update the member attribute:
-
I was looking for that but must have missed it. I will double check in the morning when I return to work. Thanks Dec 23, 2016 at 1:09
There is a handy guide from Microsoft. It is written about Windows Server 2003 but still 98% of actual. It will be useful, there is a need selectively delegation of rights in the Active Directory.
About ACL inheritance options can be found in the description of the /I key dsacls utility.
It should also be borne in mind AdminSDHolder mechanism it can cause unexpected problems when delegating rights.
To delegate the right to add/delete members in the groups in particular OU(with groups) you need to perform following command:
dsacls <full distinguished name of OrganizationalUnit> /I:S /G "<secutity name>:WP;member;group"
Where:
<full distinguished name of OrganizationalUnit> - full distinguished name of the organizational unit within which you want to delegate the right to change the groups.
<secutity name> - user or (better) group name, which will be delegated to the right.
