7.7. Delegating Control for Managing Membership of a Group
Problem
You want to delegate control of managing the membership of a group.
Solution
Using a graphical user interface
Tip
This is a new feature of Windows Server 2003 version of ADUC.
Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on Active Directory Users and Computers in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, right-click on the domain and select Find.
Enter the name of the group and click Find Now.
Double-click on the group in the results pane.
Select the Managed By tab.
Click the Change button.
Locate the group or user to delegate control to and click OK.
Check the box beside Manager can update membership list.
Click OK.
Using a command-line interface
> dsacls <GroupDN
> /G <GroupName
>@DomainName
:WP;member;
In the following
example,
the SalesAdmin
group will be given rights to
modify membership of the PreSales
group.
> dsacls cn=presales,ou=sales,dc=rallencorp,dc=com /G salesadmins@rallencorp.com:[RETURN]
WP;member;
Using VBScript
' This code grants write access to the member attribute of a group. ' ------ SCRIPT CONFIGURATION ------ strGroupDN = "<GroupDN
>" ' e.g. cn=SalesGroup,ou=Sales,dc=rallencorp,dc=com" strUserOrGroup = "<UserOrGroup
>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- set objGroup = GetObject("LDAP://" & strGroupDN) '############################ ' Constants '############################ ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.