Grant AD group - ServiceDesk to add members in these Application groups

asked 2021-11-03T07:53:38.063+00:00
Bit-101 136 Reputation points

I wish to grant AD group - ServiceDesk to add members in these Application groups:

-Application group1

-Application group2

-Application group3

-Application group4

Anyone?

Really appreciate your answer

:)

Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
8,149 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,601 questions
No comments
{count} votes

4 answers

Sort by: Most helpful
  1. answered 2021-11-03T08:14:53.103+00:00
    Gary Reynolds 8,806 Reputation points

    Hi @Bit-101 ,

    Have a read of the following article and sub articles which explains how to assign delegation rights to objects located in OU using the delegation wizard.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

    With the AD Delegation Wizard you can assign the modify the membership of a group to the groups.

    146131-image.png

    Gary.

    No comments

  2. answered 2021-11-04T11:57:49.957+00:00
    Bit-101 136 Reputation points

    $GaryReynolds-8098
    Thanks but this seems only a solution for a whole OU?
    In that OU we have every application group.
    I must have a more granular permission for a service desk group to only
    add members to 4 application group in that OU
    If I understand it correctly, this granularity is not possible with delgated controll?

    :)


  3. answered 2021-11-05T12:29:17.747+00:00
    Bit-101 136 Reputation points

    Thanks, but due to our AD design, this solution is out of the question
    :)


  4. answered 2021-11-05T17:33:18.567+00:00
    MotoX80 23,491 Reputation points

    Do you have any web developers on your team?

    At my former employer, I developed several web sites to allow "plain old users" to perform administrative tasks. These were VB.Net ASPX pages. The site was set to authenticate, but NOT impersonate the client to get the user's ID. It then checked to see if the user was a member of other Active Directory groups (like a ServiceDesk group). Based on their group membership, they were presented with a menu of functions that they were allowed to do.

    The trick is to set the IIS worker process to run as some AD account that has rights to add/remove users from groups. The code in the ASPX page manages which groups can be manipulated. In this manner you could have users listed in ServiceDesk-East manage one set of AD groups, and users listed in ServiceDesk-West to manage another set.

    The ServiceDesk users themselves have no right within AD, the IIS application pool serves as a proxy and it has the right to manage any group.

    In another case I had application developers that needed to stop and start Windows services. But I could not give them administrative access to the server. In that instance I used local groups on the app server, and set the IIS worker process to run as SYSTEM.

    You'll have the pain of doing the initial development and testing, but once you have it working, you can clone it and "front end" other administrative functions.

    No comments