OU permissions

Glenn Maxwell 12,876 Reputation points
2024-05-06T21:42:14.46+00:00

Hi All

I have an Organizational Unit (OU) with 250 Active Directory (AD) groups. I have a few users and I want to grant them access to these 250 AD groups, specifically allowing them to add/remove members from the AD groups. Besides this access, I don't want to provide any other permissions. I intend to grant access at the OU level, without using OU Delegate control. Instead, I am looking to manage security permissions by right-clicking the OU, selecting 'Properties', and then navigating to 'Security Permissions'. Please guide me on how to grant only the add/remove AD group member permissions at the OU level

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Server | Devices and deployment | Set up, install, or upgrade
Windows for business | Windows Server | User experience | Other
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. Abiola Akinbade 29,410 Reputation points Volunteer Moderator
    2024-05-06T23:14:11.3666667+00:00

    Hello Glenn Maxwell

    Thank you for contacting Microsoft community

    To do this, I will recommend the following steps:

    1. Locate the Organizational Unit (OU) where your 250 Active Directory (AD) groups are stored.
    2. In the Properties window, go to the "Security" tab and click add to add the users you want to grant permissions to
    3. To assign permissions, click on "Advanced" to open the Advanced Security Settings window.
    4. Assign the required permissions
    5. In the Advanced Security Settings window, click on "Add" to add specific permissions for the user/group.
    6. In the Permission Entry window, click on "Select a principal" and select the user/group again.
    7. Under "Apply onto", select "This object and all descendant objects" to apply the permissions to all objects within the OU.
    8. Click "OK" to apply the permission.
    0 comments No comments

  2. Glenn Maxwell 12,876 Reputation points
    2024-05-07T04:30:02.82+00:00

    I am looking for the exact permission to just add/remove users to these AD groups on the OU.

    0 comments No comments

  3. Abiola Akinbade 29,410 Reputation points Volunteer Moderator
    2024-05-07T15:22:18.2+00:00

    Hello Glenn Maxwell:

    Thanks for further clarifying

    While you can't directly control user management permissions for Active Directory groups, here is an alternative approach:

    You can attempt to use the Delegation control wizard.
    Here's how:

    Right-click the container where your group resides and select "Delegate Control."

    In the wizard, add the user or group you want to grant permissions to.

    1. Choose the appropriate permissions, such as "Create selected objects in this folder" to allow creating new objects within the container (including groups).

    You can find further information in a similar thread here with just slight differences in the above guidance

    https://serverfault.com/questions/336723/grant-permission-in-active-directory-to-add-users-modify-changed-password

    Thanks and Regards,

    Abiola

    0 comments No comments

  4. Glenn Maxwell 12,876 Reputation points
    2024-05-07T21:08:35.1133333+00:00

    i have checked there are many permissions not sure which permission to select.

    permissions

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.