Share via

OU permissions

Glenn Maxwell 10,571 Reputation points
2024-05-06T21:42:14.46+00:00

Hi All

I have an Organizational Unit (OU) with 250 Active Directory (AD) groups. I have a few users and I want to grant them access to these 250 AD groups, specifically allowing them to add/remove members from the AD groups. Besides this access, I don't want to provide any other permissions. I intend to grant access at the OU level, without using OU Delegate control. Instead, I am looking to manage security permissions by right-clicking the OU, selecting 'Properties', and then navigating to 'Security Permissions'. Please guide me on how to grant only the add/remove AD group member permissions at the OU level

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,563 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,425 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,508 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,136 questions
Windows Server Infrastructure
Windows Server Infrastructure
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.Infrastructure: A Microsoft solution area focused on providing organizations with a cloud solution that supports their real-world needs and meets evolving regulatory requirements.
526 questions
0 comments

4 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. akinbade abiola 6,735 Reputation points
    2024-05-06T23:14:11.3666667+00:00

    Hello Glenn Maxwell

    Thank you for contacting Microsoft community

    To do this, I will recommend the following steps:

    1. Locate the Organizational Unit (OU) where your 250 Active Directory (AD) groups are stored.
    2. In the Properties window, go to the "Security" tab and click add to add the users you want to grant permissions to
    3. To assign permissions, click on "Advanced" to open the Advanced Security Settings window.
    4. Assign the required permissions
    5. In the Advanced Security Settings window, click on "Add" to add specific permissions for the user/group.
    6. In the Permission Entry window, click on "Select a principal" and select the user/group again.
    7. Under "Apply onto", select "This object and all descendant objects" to apply the permissions to all objects within the OU.
    8. Click "OK" to apply the permission.
    0 comments
  2. Glenn Maxwell 10,571 Reputation points
    2024-05-07T04:30:02.82+00:00

    I am looking for the exact permission to just add/remove users to these AD groups on the OU.

    0 comments
  3. akinbade abiola 6,735 Reputation points
    2024-05-07T15:22:18.2+00:00

    Hello Glenn Maxwell:

    Thanks for further clarifying

    While you can't directly control user management permissions for Active Directory groups, here is an alternative approach:

    You can attempt to use the Delegation control wizard.
    Here's how:

    Right-click the container where your group resides and select "Delegate Control."

    In the wizard, add the user or group you want to grant permissions to.

    1. Choose the appropriate permissions, such as "Create selected objects in this folder" to allow creating new objects within the container (including groups).

    You can find further information in a similar thread here with just slight differences in the above guidance

    https://serverfault.com/questions/336723/grant-permission-in-active-directory-to-add-users-modify-changed-password

    Thanks and Regards,

    Abiola

    0 comments
  4. Glenn Maxwell 10,571 Reputation points
    2024-05-07T21:08:35.1133333+00:00

    i have checked there are many permissions not sure which permission to select.

    permissions

    0 comments