Grant Rights to Modify AD Group Membership
In order to allow specific users or groups to modify AD group membership, you need to grant them the Write 'Member' Property permission. For this purpose, you need to create a Security Role that grants this permission and assign the new Role to the users or groups, to which you want to allow modifying group membership.
Launch Adaxes Administration Console, right-click your Adaxes service, point to New and click Security Role. The Create Security Role wizard will open.
Enter the name for the new Role, and click Next.
Here you need to specify permissions the new Role will grant. To allow modifying AD group membership, you need to permit writing the 'Member' property of group objects. Clicking the Add button will display the Add Permissions dialog.
In the list of object types, to which permissions are applied, select Group. In the Property-specific permissions section, check the Write 'Member' Property permission in the Allow column. Click OK.
Optionally, add the Read permission
Click the Add button to return to the Add Permissions dialog. Select the Read permission in the Allow column of the General permissions section. Click OK.
When done, click Next.
Here, at the Assign Role page, specify users or groups to which you want to assign the new Role. To quickly find a user or group, type its name in the search field. Click Search and select the object you need in the search results.
In Active Directory, you can assign an owner for each group. The owner is specified in the Managed By property of a group. To allow owners to add or remove members from their groups, select the Owner (Managed By) security principal.
If you change the owner of a group, the previous owner will lose, and the new owner will gain the rights to modify the membership of the group.
Select the necessary option and click Assign.
In the Role Activity Scope dialog that opens, you need to select where the specified users or groups will be able to apply the permissions granted by this Security Role.
You can select one of the following items:
All Objects - select if you want to allow the users or groups specified at
the previous step to add and remove members of any group in any AD domain managed
by the Adaxes service.
- Specific Domain - select a specific AD domain if you want to allow modifying membership of any group in the AD domain you specify. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.
- OU or Container - select a specific organizational unit or container if you want to allow modifying membership of any group located in the selected OU or container. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.
- Group - select a specific group if you want to allow modifying membership of this group or of the groups that are members of this group. Once selected, you will need to specify the assignment scope in the Assignment Options dialog.
Business Unit - select a Business Unit if you want to allow modifying membership
of the groups that are members of a specific Business Unit. To view available
Business Units, select the Business Units item in the Look in drop-down
Select the object you need and click Add. When finished, click OK.
When specified, the assignments will be displayed in the Assignments list. To add assignments to other users or groups, repeat steps 5 and 6. Click Finish.