7.7. Delegating Control for Managing Membership of a Group

Problem

You want to delegate control of managing the membership of a group.

Solution

Using a graphical user interface

Tip

This is a new feature of Windows Server 2003 version of ADUC.

  1. Open the Active Directory Users and Computers snap-in.

  2. If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, right-click on the domain and select Find.

  4. Enter the name of the group and click Find Now.

  5. Double-click on the group in the results pane.

  6. Select the Managed By tab.

  7. Click the Change button.

  8. Locate the group or user to delegate control to and click OK.

  9. Check the box beside Manager can update membership list.

  10. Click OK.

Using a command-line interface

> dsacls <GroupDN> /G <GroupName>@DomainName:WP;member;

In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group.

> dsacls cn=presales,ou=sales,dc=rallencorp,dc=com /G salesadmins@rallencorp.com:[RETURN]
WP;member;

Using VBScript

' This code grants write access to the member attribute of a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Sales,dc=rallencorp,dc=com"
strUserOrGroup = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) '############################ ' Constants '############################ ...

Get Active Directory Cookbook now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial