Delegation on OU - Manage Groups


  • Hi All, 

    I have an OU which has Multiple Groups
    i need to give user called kevin Access to this OU so that he can add users to these multiple groups which are in the OU 

    I don't want him to delete the Groups in the OU 

    I only want him to add & remove users to the Groups  in the OU 

    Kindly assist as to what permission i should give in Delegation - Custom Role  on the OU 


    Wednesday, February 1, 2017 11:14 AM

All replies

  • Hi,

    You can do this quite simply with the Delegate Control fonction.
    Open the AD User and Computer tool, then right-click on the OU on wich you want to delegate control.

    Then click "Delegate control" and follow the wizard.

    Basically you will choose the user that need to have some controls, and then the tasks he is able to do.

    For more specific security filter, then enable advanced fonctionality (if the "showing" section of your AD User and Computer panel). Then right click on your OU, select properties and go to security tab. Here you can found the user you have delegated control, and in details you can edit specific permissions. 

    Permission's names are quite revelant, you should be able to found wich one apply to your case.

    Wednesday, February 1, 2017 11:26 AM
  • Hi

     You can configure Delegate Control of an Organizational Unit for this specific user;

    Delegate Control of an Organizational Unit ;

    Delegating Administration by Using OU Objects ;

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, February 1, 2017 11:42 AM
  • As you mentioned creating custom roles, in addition to standard methods that were already mentioned, you can go with solutions featuring RBAC (e.g.

    All you need to do here is to create a role (let's say, group manager) and assign it to a user over a particular OU. 

    You can also apply it to all users by assigning the role over a Business Unit that contains all groups that are in the same OU with the user (it will dynamically adjust depending on who's viewing it), so that everybody will have permissions to manage groups in the same OU with them. All that with a single role in a single place. 

    Thursday, February 2, 2017 10:39 AM
  • Hi thanks for the feedback.

    i'm only confused what permission to give when i choose delegation.

    THe OU has groups inside it.

    I want the user to manage all those groups so that he can add user's & remove them from those groups 

    When i choose delegate > Custom > what option to select 


    Thursday, February 2, 2017 1:58 PM
  • You can set "Modify the membership of a group"...

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Thursday, February 2, 2017 8:30 PM