Hello
To verify who can amend an Active Directory (AD) group’s membership, you can use a combination of built-in Windows tools and specific permissions checks. Here are the steps you can follow:
Delegate Control Wizard: You can use the Delegate Control Wizard in Active Directory Users and Computers (ADUC) to delegate permissions to junior admins or other groups. This tool allows you to specify which permissions (such as Create, Delete, Manage User Accounts, and Modify the Memberships of Groups) a group or user has.
ManagedBy Attribute: You can specify the managedBy attribute and check the box for “Manager can update membership list”. This grants write permission for the Member attribute. The people who need to edit the group may be able to do it with the DSQuery widget.
Check Permissions: To check the specific permissions that allow amendment to a group membership, you can edit the advanced security on that group, add your service account and then when selecting the permissions you want to add on the properties tab (not the default objects tab) you need: Apply to: This object only Allow: Read Members, Write Members.
Active Directory Auditing: You can also enable Active Directory auditing to track changes made to AD objects, including group membership changes. This can provide a historical record of who has amended a group’s membership.