Delegation

[Darren Jones]

Is there a way to allow a user to add accounts to a group
but not allow them to remove accounts from the group? The
Write property allows both. I just want one.

 

[Tim Hines [MSFT]]

Have you tried removing "delete all child objects" for the user? That
should block his ability to delete members.


--
Tim Hines, MCSE, MCSA
Windows 2000 Directory Services

=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jimmy Andersson [MVP]]

I don't remember the steps it in W2K, but in W2K3 you select advanced view
in the MMC.
Choose Properties on the OU, go to the Security tab. Select the user (or add
the user) and click Advanced.
Select the user again and click Edit, scroll down in the Permissions list
and select what you want the user to be able to do.

Regards,
/Jimmy

 

[Darren Jones]

Yes, I know. But the applicable option is Write Property.
However, this allows adding AND removing. I want them to
just add. There nothing that says Add Member. It appears
is is all or nothing.

 

[Jimmy Andersson [MVP]]

Hmm.... It's probably a W2K limitation then, cause in W2K3 it says:
Create User Objects and you got another permission named Delete User
Objects.

Sorry I couldn't be of more help.

Regards,
/Jimmy

 

[darren jones]

That doesn't work. They can still remove users from the
groups.

 

[Fritz Ohman]

(since everyone else is top-posting I will too ;o)

Hi Jimmy,

Am I correct in assuming that you are talking about creating users in an OU?
I think that the permission is different on a *group* object, where the
membership list is an attribute, not a child object. Right?

Fritz Ohman