Share via

Permissions on AD Group

Glenn Maxwell 10,146 Reputation points
2024-02-18T13:30:47.9466667+00:00

Hi All i have an AD group and i want to give permission for a service account to remove the members from that AD group. Except removing the users from that AD group, service account should not be able to perform any other activity on that AD Group. Experts guide me with Removal permissions. AD Group properties-->security-->added the serviceaccount-->clicked Advanced settings-->double clicked the serviceaccount, Properties->i can see Write Members permission but i believe it will provide add/remove members , i am looking just to remove members permissions. please guide me.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,491 questions
Windows Server 2016
Windows Server 2016
A Microsoft server operating system that supports enterprise-level management updated to data storage.
2,395 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
12,242 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,960 questions
0 comments
Accepted answer
  1. Daisy Zhou 18,956 Reputation points Microsoft Vendor
    2024-02-19T03:45:26.7833333+00:00

    Hello Glenn Maxwell,

    Thank you for posting in Q&A forum.

    For setting permissions on AD group, you can only use "add/remove members" permissions, it will let the users add or remove the members in this AD group.

    However, you can try to using Delegation Control wizard on containers, then you can select "Create selected objects in this folder" or "Delete selected objects in this folder".
    Делегирование административных полномочий в Active Directory | Windows ...

    Here is a similar thread about setting permissions on AD containers (only with "Create selected objects in this folder" but with no "Delete selected objects in this folder"). https://serverfault.com/questions/336723/grant-permission-in-active-directory-to-add-users-modify-changed-password I hope the information above is helpful. If you have any question or concern, please feel free to let us know. Best Regards, Daisy Zhou

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    1 person found this answer helpful.
    0 comments

2 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marcin Policht 12,940 Reputation points MVP
    2024-02-18T15:19:51.08+00:00

    As far as I know, you cannot assign a distinct permission that would allow you to remove group members but not to add them

    hth
    Marcin

    0 comments
  2. Thameur-BOURBITA 32,596 Reputation points
    2024-02-19T13:19:15.5433333+00:00

    Hi @Glenn Maxwell

    i can see Write Members permission but i believe it will provide add/remove members , i am looking just to remove members permissions.

    You are right, unfortunately there is no option let you to give only delete permission of group membership. You have to deal with Write permission if you want allow the service account remove members of target groups:

    User's image

    Please don't forget to accept helpful answer

    0 comments