This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(297.6, 99%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EB1%3C/text%3E%3C/svg%3E)
I wish to grant AD group - ServiceDesk to add members in these Application groups:
-Application group1
-Application group2
-Application group3
-Application group4
Anyone?
Really appreciate your answer
:)
Hi @Bit-101 ,
Have a read of the following article and sub articles which explains how to assign delegation rights to objects located in OU using the delegation wizard.
With the AD Delegation Wizard you can assign the modify the membership of a group to the groups.
Gary.
$GaryReynolds-8098
Thanks but this seems only a solution for a whole OU?
In that OU we have every application group.
I must have a more granular permission for a service desk group to only
add members to 4 application group in that OU
If I understand it correctly, this granularity is not possible with delgated controll?
:)
Hi,
There are a couple of options:
Gary.
Thanks, but due to our AD design, this solution is out of the question
:)
Option 2 should still be a viable option, as you are applying the permissions directly to the groups and not changing the OU structure.
Gary.
Do you have any web developers on your team?
At my former employer, I developed several web sites to allow "plain old users" to perform administrative tasks. These were VB.Net ASPX pages. The site was set to authenticate, but NOT impersonate the client to get the user's ID. It then checked to see if the user was a member of other Active Directory groups (like a ServiceDesk group). Based on their group membership, they were presented with a menu of functions that they were allowed to do.
The trick is to set the IIS worker process to run as some AD account that has rights to add/remove users from groups. The code in the ASPX page manages which groups can be manipulated. In this manner you could have users listed in ServiceDesk-East manage one set of AD groups, and users listed in ServiceDesk-West to manage another set.
The ServiceDesk users themselves have no right within AD, the IIS application pool serves as a proxy and it has the right to manage any group.
In another case I had application developers that needed to stop and start Windows services. But I could not give them administrative access to the server. In that instance I used local groups on the app server, and set the IIS worker process to run as SYSTEM.
You'll have the pain of doing the initial development and testing, but once you have it working, you can clone it and "front end" other administrative functions.