question

Bit-101 avatar image
0 Votes"
Bit-101 asked MotoX80 answered

Grant AD group - ServiceDesk to add members in these Application groups

I wish to grant AD group - ServiceDesk to add members in these Application groups:

-Application group1

-Application group2

-Application group3

-Application group4

Anyone?

Really appreciate your answer

:)

windows-serverwindows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

GaryReynolds avatar image
0 Votes"
GaryReynolds answered

Hi @Bit-101,

Have a read of the following article and sub articles which explains how to assign delegation rights to objects located in OU using the delegation wizard.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/delegating-administration-by-using-ou-objects

With the AD Delegation Wizard you can assign the modify the membership of a group to the groups.

146131-image.png

Gary.



image.png (25.2 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Bit-101 avatar image
0 Votes"
Bit-101 answered GaryReynolds commented

$GaryReynolds-8098
Thanks but this seems only a solution for a whole OU?
In that OU we have every application group.
I must have a more granular permission for a service desk group to only
add members to 4 application group in that OU
If I understand it correctly, this granularity is not possible with delgated controll?

:)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hi,

There are a couple of options:

  1. Create a sub ou and move the groups to the new ou and run the delegation wizard on the new sub ou to grant the rights.

  2. Grant write permissions to the member attribute of each group using the advanced security dialog in aduc

Gary.

0 Votes 0 ·
Bit-101 avatar image
0 Votes"
Bit-101 answered GaryReynolds commented

Thanks, but due to our AD design, this solution is out of the question
:)

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Option 2 should still be a viable option, as you are applying the permissions directly to the groups and not changing the OU structure.

Gary.

0 Votes 0 ·
MotoX80 avatar image
0 Votes"
MotoX80 answered

Do you have any web developers on your team?

At my former employer, I developed several web sites to allow "plain old users" to perform administrative tasks. These were VB.Net ASPX pages. The site was set to authenticate, but NOT impersonate the client to get the user's ID. It then checked to see if the user was a member of other Active Directory groups (like a ServiceDesk group). Based on their group membership, they were presented with a menu of functions that they were allowed to do.

The trick is to set the IIS worker process to run as some AD account that has rights to add/remove users from groups. The code in the ASPX page manages which groups can be manipulated. In this manner you could have users listed in ServiceDesk-East manage one set of AD groups, and users listed in ServiceDesk-West to manage another set.

The ServiceDesk users themselves have no right within AD, the IIS application pool serves as a proxy and it has the right to manage any group.

In another case I had application developers that needed to stop and start Windows services. But I could not give them administrative access to the server. In that instance I used local groups on the app server, and set the IIS worker process to run as SYSTEM.

You'll have the pain of doing the initial development and testing, but once you have it working, you can clone it and "front end" other administrative functions.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.