none
Assign Service group permissions

    Question

  • I need to create a service account and give it read/write to the member attribute for DLs, how does one do this?
    Monday, March 13, 2017 9:14 PM

Answers

  • this is one way a colleague confirmed me 

    The only difference between a DL group and a security group is a single bit on the groupType attribute. The only way to accomplish this without writing a specific ACL on every single DL type group is to put all of the DL groups into one or more OUs dedicated for DLs and then delegate whatever permissions they want over the groups at those OU levels. If a security group ever goes into that OU or if someone changes one of the groups to a universal group then they will break both of their rules. 

    • Marked as answer by Chicojr Friday, March 24, 2017 4:25 PM
    Friday, March 24, 2017 1:21 PM

All replies

  • Hi

     For this you should configure "delegate permission" but AFAIK you can't configure delegate permission for MSA's.So you should configure these permission to a standard user account.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, March 14, 2017 4:51 AM
  • Not sure what your acronyms mean?
    Tuesday, March 14, 2017 1:47 PM
  • I need to create a service account

    MSA;Managed service accounts,

    Overview ; https://technet.microsoft.com/en-us/library/dd560633(v=ws.10).aspx

    If you mean standard user you can configure delegate permission for the user for your need also.

    check these for details;

    http://techgenix.com/Implementing-Active-Directory-Delegation-Administration/

    https://social.technet.microsoft.com/Forums/sharepoint/en-US/5cb6def5-4025-488e-80c5-31aa6a465f4e/minimum-permission-require-to-modify-user-attributes-in-active-directory?forum=winserverDS


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Tuesday, March 14, 2017 5:12 PM
  • do you mean Distribution lists by DL ?
    Wednesday, March 15, 2017 3:22 AM
  • If so, all you need to do is delegate the permissions for groups read/write for the service account. Remember you have do this OU by OU for the Ou's where the groups are present.
    Wednesday, March 15, 2017 3:24 AM
  • yes by Distribution Lists
    Wednesday, March 15, 2017 3:01 PM
  • I am thinking

     

    Should it be , go to ADUC, click on delegate permissions, Select Group objects, then select property specific and then select “write DLmemberRule”.

    Ill test in my lab and let you know if it works. 

    Friday, March 24, 2017 4:24 AM
  • this is one way a colleague confirmed me 

    The only difference between a DL group and a security group is a single bit on the groupType attribute. The only way to accomplish this without writing a specific ACL on every single DL type group is to put all of the DL groups into one or more OUs dedicated for DLs and then delegate whatever permissions they want over the groups at those OU levels. If a security group ever goes into that OU or if someone changes one of the groups to a universal group then they will break both of their rules. 

    • Marked as answer by Chicojr Friday, March 24, 2017 4:25 PM
    Friday, March 24, 2017 1:21 PM