The easiest way to delegate membership management of (security/distribution) groups in Active Directory is to use the Managed By tab. The Managed By tab has two purposes:
- The first one is to provide contact information related to the manager and the business owner of a group.
- The second purpose is to manage the delegation of the group’s membership. Note the check box that is labeled ‘Manager can update membership list’.
The first one is to provide contact information related to the manager and the business owner of a group.
The second purpose is to manage the delegation of the group’s membership. Note the check box that is labeled ‘Manager can update membership list’.After the groups have been created, you as a domain administrator are tasked to delegate the management of the groups’ membership to the teams or the individuals (managers/supervisors) who have the business responsibility for the network resources protected by these groups.
For example, in the case presented here, under organization unit named Alex First Location, three sets of security groups have been created for the warehouse, accounting and sales departments. You have created shared folders for these departments and assign different permissions to the departments’ security groups. In addition, you have created one security group, named AFL GroupManager, added all the managers into this security group and set it in the Managed By tab as the manager of all the security groups.
From now on, if someone needs access to these departments’ shared folders, he or she does not need to contact the corporate help desk to enter a request. The users needing access may request access directly from the managers who can change the groups’ membership. This practice of groups’ management delegation can improve the responsiveness and accountability of the process by allowing the managers to change the membership of the security groups that control access to the business resources.
The last step you need to do is to give the managers the proper tool to manage groups’ membership. They do not require Active Directory Users and Computers to modify the membership of the groups. One simple solution could be use of the Search Active Directory capability of Windows clients, a new shortcut on their desktops that has the following path:
Clicking on this shortcut will then bring up the familiar Active Directory search interface. The more elegant solution would be to use a PowerShell script and create an interface or a tool to manage groups in Active Directory. In the part one of this blog I’ve used a PowerShell script to create nine security groups in three OU and populate them with members. The result is shown in picture 01.
Group Manager Application
Application provides an interface for administration of Active Directory objects such as security groups and empowers group managers to manage and update groups’ membership list. This software is based on Quest One ActiveRoles Management Shell for Active Directory, which is built on top of Microsoft Windows PowerShell technology.
Quest One ActiveRoles Management Shell for Active Directory could be downloaded at: http://www.quest.com/powershell/activeroles-server.aspx
To prepare for installation of this application, please do the following:
1.Set Microsoft PowerShell execution policy to ‘remotesigned’ on a computer where this application will be used
2.Install Quest One ActiveRoles Management Shell for Active Directory executable
3.Create a file, named CG.Option.XML file and keep it in the same folder as the application. This file contains information about Active Directory organizational unit that houses all security groups, as well as a security group that manages these groups. Picture 02 shows the content of .XML file used in my example.
Note: Group Manager application reads the .XML file at the start up to determine the Common Name (CN) of the organizational unit housing all security groups and the CN of the object (group/user) that will be used as a manager.
Since this software is built on ‘Quest One ActiveRoles Management Shell’, it is necessary to have this shell running before the start-up of the application. After double-clicking the application file, you will be prompted with a message as shown in the picture bellow: ‘Active Directory Snapin not currently loaded – Adding Snapin’. Please click OK button to proceed as shown in picture 03.
Once the application is loaded, it will show all the security groups that are managed by the user/group defined in the .XML file.
To add additional member to the selected group, just type a user’s name and click the Search button. From the list retrieved from the search, click the user’s name you want to add and click the Add button. This will add the user to the selected security group as shown in the picture 05.
In addition to users, you can add a security group as well. Just type a name (or part of the group’s name), click the Search button and highlight the group you want to add. Clicking the Add Group button will add this group as a member of the selected managed group; (please note that you could add all or some group’s members by selecting their names and clicking Add button).
With just one click on the Create Report button, you can produce report that will list all your managed groups, their membership as well as the network resource they are protecting.
Once the report has been produced, it will be stored in the same folder as the application itself. The new report file will override and delete any older report files in this folder.
And finally there is a PowerShell script used to create Group Manager application. In download section you can find this script as well as an executable for both 32-bit and 64-bit operating systems, created by SAPIEN PowerShell Studio ISE.
|Please note: Although the author has made every reasonable attempt to achieve complete accuracy of the content, he assumes no responsibility for errors or omissions. Also, you should use this information as you see fit, and at your own risk.|