How to let non-admins manage selected domain groups' membership?

Question

I'm on Windows Server 2012, Active Directory is on and working. All the project we manage have 2 dedicated groups, one for managers with access to all related files (including invoices, timetables and whatever they need to manage the project, or at least I guess, it could be a bunch of animated gifs for all I know) and one for the people that actually work on the project with access to only the files of the project itself.

I need to let some project managers control the membership of the groups that allow file access to their projects. They should not be able to edit any other aspect of the group. And ideally it should be using a GUI of some kind, because it will be hard enough to explain it that way, but worst case scenario I can script one.

I added the managing group to the "Managed By" tab of the managed group, with "Manager can update membership list" enabled, and this looked easy enough. But..

Should I let the managing group let see the whole user list? If so, how?
How and where should the managing group members log in to edit the group membership?

score 23 · Accepted Answer · answered Apr 16 '15 at 11:29

23

You can specify the managedBy attribute, and check the box for "Manager can update membership list". (This grants write permission for the Member attribute.)

The person(s) who need to edit the group may be able to do it with the DSQuery widget, for which you can create the following shortcut:

rundll32 dsquery,OpenQueryWindow

They can search for the group as with AD Users and Computers, then edit the properties, and Add members.

It may be possible to do this with Outlook (if the group is mail-enabled), but that can be more fragile if you have a multiple domain environment.

ManagedBy

enter image description here

answered Apr 16 '15 at 11:29

Greg Askew

34,339
3
52
81

2

Thanks this is working perfectly, also it should be easy enough to explain to the people in charge of each group. (It won't be, but a guy can still hope) – Bard Apr 16 '15 at 15:32
3

You could also just type in the exact name(s) of the group(s), perform a search, then go to `File>Save Search` and send them the .qds file for them to place on their desktop. – Fütemire Jun 08 '18 at 17:20

score 4 · Answer 2 · answered Jun 15 '16 at 13:36

4

In Windows 10, (as well as Windows 8, I believe), you can open File Explorer, select Network from the left navigation pane, select the Network Tab that appears in the ribbon at the top of the window, then choose the Search Active Directory option. A user should then be able to search for an AD group that it has permissions to update and add/remove members.

answered Jun 15 '16 at 13:36

Josh Kammerud

41
1

This works in Windows 7 as well. – Tridus Jul 25 '17 at 13:56

How to let non-admins manage selected domain groups' membership?

2 Answers2