Active Directory Cookbook for Windows Server 2003 and Windows 2000-Active Directory Cookbook for Windows Server 2003 and Windows 2000

[ Team LiB ]

Recipe 7.7 Delegating Control for Managing Membership of a Group

7.7.1 Problem

You want to delegate control of managing the membership of a group.

7.7.2 Solution

7.7.2.1 Using a graphical user interface

This is a new feature of Windows Server 2003 version of ADUC.

Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the results pane.
Select the Managed By tab.
Click the Change button.
Locate the group or user to delegate control to and click OK.
Check the box beside Manager can update membership list.
Click OK.

7.7.2.2 Using a command-line interface

> dsacls <GroupDN> /G <GroupName>@DomainName:WP;member;

In the following example, the SalesAdmin group will be given rights to modify membership of the PreSales group.

> dsacls cn=presales,ou=sales,dc=rallencorp,dc=com /G salesadmins@rallencorp.com:[RETURN]
WP;member;

7.7.2.3 Using VBScript

' This code grants write access to the member attribute of a group.
' ------ SCRIPT CONFIGURATION ------
strGroupDN = "<GroupDN>"  ' e.g. cn=SalesGroup,ou=Sales,dc=rallencorp,dc=com"
strUserOrGroup = "<UserOrGroup>"  ' e.g. joe@rallencorp.com or RALLENCORP\joe
' ------ END CONFIGURATION ---------

set objGroup = GetObject("LDAP://" & strGroupDN)
'############################
' Constants
'############################
' ADS_ACETYPE_ENUM
Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5
Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1
Const ADS_RIGHT_DS_WRITE_PROP = &h20

' From schemaIDGUID of member attribute
Const MEMBER_ATTRIBUTE = "{bf9679c0-0de6-11d0-a285-00aa003049e2}"

'############################
' Create ACL
'############################
set objSD = objGroup.Get("ntSecurityDescriptor")
set objDACL = objSD.DiscretionaryAcl

' Set WP for member attribute
set objACE = CreateObject("AccessControlEntry")
objACE.Trustee    = strUserOrGroup
objACE.AccessMask = ADS_RIGHT_DS_WRITE_PROP
objACE.AceFlags   = 0
objACE.Flags      = ADS_FLAG_OBJECT_TYPE_PRESENT
objACE.AceType    = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT
objACE.ObjectType = MEMBER_ATTRIBUTE

objDACL.AddAce objACE

'############################
' Set ACL
'############################
objSD.DiscretionaryAcl = objDACL
objGroup.Put "ntSecurityDescriptor", objSD
objGroup.SetInfo
WScript.Echo "Delegated control of member attribute for " & _
              strGroupDN & " to " & strUserOrGroup

7.7.3 Discussion

To grant a user or group the ability to manage group membership, you have to grant the write property (WP) permission on the member attribute of the target group. You can add this ACE directly using dsacls or more indirectly with ADUC. ADUC in Windows Server 2003 has a new feature that allows you to simply check a box to grant the ability to modify group membership to the object represented by the managedBy attribute.

If you want to configure additional permissions, such as the ability to modify the description attribute for the group, you will need to go to the Security tab in ADUC, or specify the appropriate attribute with the /G switch with dsacls. For example, this will grant write property on the description attribute:

/G <GroupName>@DomainDNSName:WP;description;

7.7.4 See Also

Recipe 14.10 for delegating control in Active Directory

[ Team LiB ]