How to Delegate Group Membership Management in Active Directory for Non-Admin Users on Windows Server 2012


11 views

In Active Directory environments, we often need to allow project managers to manage membership of specific security groups without granting them full administrative privileges. This becomes crucial when:

  • Project managers need to add/remove team members from project-specific groups
  • You want to maintain security by limiting access to only relevant groups
  • The organization follows the principle of least privilege

The "Managed By" tab in AD groups provides partial functionality for this scenario. Here's how to set it up:

# PowerShell to set the Managed By property
Set-ADGroup -Identity "ProjectX_Managers" -ManagedBy "CN=ProjectX_Admins,OU=Groups,DC=domain,DC=com"

However, this approach has limitations:

  • Managers can't easily view the complete user list
  • No intuitive GUI for non-technical users
  • Limited filtering capabilities

For better usability, we can build a simple web interface using ASP.NET:

protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        // Get current user's groups
        var userGroups = UserPrincipal.Current.GetAuthorizationGroups();
        
        // Filter to only groups they can manage
        var manageableGroups = userGroups
            .Where(g => g is GroupPrincipal && 
                   ((GroupPrincipal)g).ManagedBy == UserPrincipal.Current.DistinguishedName)
            .ToList();
        
        groupList.DataSource = manageableGroups;
        groupList.DataBind();
    }
}

protected void groupList_SelectedIndexChanged(object sender, EventArgs e)
{
    var selectedGroup = groupList.SelectedValue;
    var members = GetGroupMembers(selectedGroup);
    
    currentMembers.DataSource = members;
    currentMembers.DataBind();
    availableUsers.DataSource = GetDomainUsers();
    availableUsers.DataBind();
}

For more granular control, we can modify Active Directory ACLs directly:

# PowerShell to delegate membership management
$groupDN = "CN=ProjectX_Users,OU=Groups,DC=domain,DC=com"
$managerDN = "CN=ProjectX_Manager,OU=Users,DC=domain,DC=com"

$acl = Get-Acl "AD:\$groupDN"
$rule = New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
    $managerDN,
    "WriteProperty",
    "Allow",
    [Guid]"bf9679c0-0de6-11d0-a285-00aa003049e2", # member attribute
    "None"
)
$acl.AddAccessRule($rule)
Set-Acl -AclObject $acl -Path "AD:\$groupDN"
  • Always test in a non-production environment first
  • Document all permission changes for audit purposes
  • Consider creating a separate OU for delegatable groups
  • Implement regular reviews of delegated permissions

If managers can't see users or make changes:

  1. Verify the manager has "Read" permissions on user objects
  2. Check if any conflicting permissions exist
  3. Ensure the manager account isn't locked or disabled

In enterprise environments, there's often a need to allow project managers to control access to their project resources without granting full Active Directory administrative privileges. The common scenario involves:

  • Two security groups per project (Managers and Workers)
  • Managers needing to control membership of both groups
  • Restricting access to only their project groups

The "Managed By" tab method you've tried is partially correct but needs refinement. Here's how to properly implement it:

# PowerShell script to delegate control
Import-Module ActiveDirectory

# Define groups
$ManagerGroup = "ProjectX_Managers"
$WorkerGroup = "ProjectX_Workers"

# Grant membership management rights
$WorkerGroupDN = (Get-ADGroup $WorkerGroup).DistinguishedName
$ManagerGroupDN = (Get-ADGroup $ManagerGroup).DistinguishedName

$params = @{
    Identity = $WorkerGroupDN
    Trustee = $ManagerGroupDN
    AccessRights = "WriteProperty"
    PropertyType = "Member"
    Confirm = $false
}

Add-ADPermission @params

For non-technical users, we can create a simple web interface using ASP.NET:

// C# code for basic group management page
protected void Page_Load(object sender, EventArgs e)
{
    if (!IsPostBack)
    {
        var currentUser = User.Identity.Name;
        if (IsProjectManager(currentUser))
        {
            var projectGroups = GetManagedGroups(currentUser);
            groupList.DataSource = projectGroups;
            groupList.DataBind();
        }
    }
}

protected void UpdateMembership(object sender, EventArgs e)
{
    using (var context = new PrincipalContext(ContextType.Domain))
    {
        var group = GroupPrincipal.FindByIdentity(context, groupList.SelectedValue);
        var user = UserPrincipal.FindByIdentity(context, userName.Text);
        
        if (addMember.Checked)
            group.Members.Add(user);
        else
            group.Members.Remove(user);
        
        group.Save();
    }
}

When implementing this solution:

  • Audit all membership changes
  • Implement approval workflows for sensitive groups
  • Consider creating a separate OU for project groups
  • Use constrained delegation if cross-domain management is needed

For simpler deployments, you can use Active Directory Administrative Center:

  1. Open ADAC and navigate to the group
  2. Right-click and select "Properties"
  3. Go to "Managed By" tab
  4. Check "Manager can update membership list"
  5. Add the manager's group to the Security tab with "Write members" permission