Delegation

[Darren Jones]

Here's my scenario:

I have a remote office that I created an OU for. The OU
contains users and groups for that remote office. I
delegated to the remote support staff in that office the
ability to fully administer the users and groups in that
OU only. Now I have another OU that exists outside of that
remote office OU. This OU has groups that the remote
support staff need the ability to add their users to.

Here's the problem:

If I delegate the remote support staff the ability to
administer groups in this new OU, they can add not only
their own users to the groups but also users they do not
have authority to administer. This is an un-wanted side
effect. Is there a way around this limitation?

 

[David Hou [MSFT]]

First you need find an attribute of class User or Person (prefered) as a
"flag" attribute. but make sure the attribute is not used in any other ways.

Second, give only the remote support staff permission to write to the
attribute on users in the OU that they manage.

Third, create a script that scan that attribute for every user in that OU.
For users with the attributes set, the script will add them to the group in
the destination OU and then clear those attributes.
Note: this script will require a creds that allow it to read/write those
special user attributes in the OU the remote support staff manages and to
write the Member attribute of the group in the destination OU.

Forth, run the script periodically.

A few more notes:

1. If you choose to create an attribute for the task, make sure that you
fully evaluate the impact of the schema change.
2. You may use the attribute to store the actual group name instead use it
as a flag as long as the syntax allows.
3. Secure the script properly.

David