0 votes

I'd like to implement an architecture whereby all Domain Users can request membership in any domain security group. I'd also like to allow the OU Owners to have the ability to remove users from the security groups that fall within their respective OUs but nowhere else.

How would I grant permissions (and expose this feature to the end users) for the OU Owners to remove users from their groups without granting them the ability to remove users from all security groups?

by (650 points)
0

Hello,

To be able to request membership in a group, a user must have the permissions to add or remove members of that group. These permissions can’t be granted separately. In your case, you need to create a Business Unit that will contain all security groups except built-in groups (e.g. Administrators) and a Security Role assigned over this Business Unit, that will allow members of the Domain Users group to modify the Member property of Group objects.

Then, you will need to set up an approval step. A Business Rule that triggers Before adding a member to a group and sends the operation for approval to the Owner of the target group's OU should be used for this purpose. Also, this Business Rule should have a If the initiator is not %member% condition that will check whether a user is requesting membership for someone else, and will cancel the operation if they are. Optionally, you can make an exclusion for OU owners and allow them adding other members by their own initiative. The Business Rule should be assigned over the same Business Unit (the one which contains all security groups).

Example Business Rule

To prevent users from removing group members they are not authorized to remove, you need another Business Rule that triggers Before removing a member from a group. This rule will have a If PowerShell script returns true condition that will check whether the initiator of the Remove member operation is the owner of the OU where the group is located, and cancel the operation if they aren’t.

To expose the feature, you need to add the Add to group action to the Web Interface for end users and select Always perform for the current user in the Member Selection section, so that users will be able to request membership only for themselves.

It is highly recommended to use two separate Web Interfaces for end users and for OU owners. This way you will be able to disable all Web Interface elements that allow adding or removing group members and leave only the dedicated Add to group action for simplicity. To be specific, you can hide the Add members operation and customize forms for viewing and editing groups to hide Add and Remove buttons in the Members section.

If the same Web Interface is used, hiding the operation and the buttons for end users will also hide them for OU owners. It is not necessary to hide them though, as the logic of who can add/remove members is controlled by Business Rules.

If you need further guidance on how to implement this architecture, please, describe the desired workflow and permissions in all the possible details.

There is also an alternative approach, which is more complicated and requires an additional Scheduled Task, a Custom Command, a dynamic Business Unit and a PowerShell script. The only benefit of this approach is that it will be easier to hide elements of the Web Interface if you plan on using the same interface for end users and OU owners.

0

Hello,

Thank you for the helpful response. Do you have an example of a powershell script condition I could use to check whether the initiating user is a member of the OU owner group?

Thanks!

+1

Hello,

Do we understand you correctly, that you need a script that will check whether the initiator of the Remove member operation is the owner of the OU where the target group is located? If this is the case, you can check out this script from our repository. It should be used in the If PowerShell script returns true condition of the Business Rule triggering Before removing a member from a group.

The script will return True if the initiator is not the OU owner. Please note, that the script will also return True and cancel the operation if the OU where the group is located has no owner. It will be impossible to remove members from this group until an owner is assigned to its OU.

The Business Rule itself should look like this: business-rule.png

0

Thank you! Yes, this is exactly what I was looking for. Appreciate your help!

0

One final question. Is it possible to restrict the groups that these OU owners can see from their dashoard? I'd like to only present them with the security groups which they are the OU owners for. Ideally i'd like to implement something like the following LDAP filter string:

image.png

Is something like this possible using LDAP filters?

0

We noticed that you have asked a question about how to assign an OU owner as the owner of all groups under this OU.

If you are going to implement this, you will be able to use this LDAP filter in your Web Interface action: (managedBy=%adm-InitiatorDN%).

However, it will work only if the initiating user has direct ownership over groups, i.e. this user is explicitly specified in the managedBy attribute of a group.

0

Great thank you for clarifying. Are there any plans to add the ability for the 'managedBy' flag to work with AD Groups and their corresponding group members as well?

0

Hello,

Unfortunately, there are no such plans at the moment. As a workaround, you can create a Scheduled Task which will run this script, and assign the task over OU owners or all users. The script will periodically check which objects are managed by a user, build an LDAP filter for these objects, and save the filter in the specified attribute of a user, for example CustomAttributeText1.

You will then be able to use a value reference to retrieve the LDAP filter for group selection in your Web Interface action: image The filter will be different for each logged on user and will include all objects managed by the user (both, directly and via group membership). Please note, that you need to use %adm-CustomAttributeText1% and not (managedBy=%adm-CustomAttributeText1%), as the attribute will contain the entire filter.

Please log in or register to answer this question.

Related questions

0 votes
1 answer

Hello, Is it possible to grant members of a business unit permission to run a custom command? I know I'm able to give permission to a user/group to run a cmd on a business ... that can run the command. I've not been successful with any of my attempts to do so.

asked Mar 23, 2017 by JoCCCsa (510 points)
0 votes
1 answer

Hey there, We allow our staff to modify membership to certain AD groups by designating a person in the 'Managed By' field. That person then changes the group' ... to modify group membership' without any object specific configuration. Is this possible? Thanks!

asked Nov 8, 2011 by Kirk (650 points)
0 votes
1 answer

hello! need some help asap! i need to show a report of a group with its members, which has multiple nested groups and its group. How can i get this info?

asked Jan 13, 2017 by MeliOnTheJob (10.6k points)
0 votes
1 answer

I am having this same issue, and I do think the Microsoft Support article will help, but I noticed in the Permissions that Exchange Trusted Subsystem is defaulted to Deny ... is, Should I remove the Deny Permission first before adding the Allow to Modify?

asked Dec 30, 2019 by svecchione3 (280 points)
0 votes
1 answer

Hi there, I would like to allow for my support team to disenroll some user from SelfService Password Policy. Is it possible to allow via web interface? Thanks! Lopes

asked Sep 1, 2015 by ClownisThiii (510 points)
2,135 questions
1,900 answers
5,319 comments
3,533 users