I've just added a member to my Help desk team and delegated control of
one organizational unit (OU) to him so that he can add and delete user accounts
(and edit the account properties). With this control, he can add users to groups
(he needs this function as part of his job), and this could be a problem when
it comes to high-privilege groups such as domain, schema, and enterprise administrators.
I understand I could use a Group Policy Object (GPO) with Restricted Groups
and put authorized users in those groups, but where should I apply this policy
to the domain controller (DC)? I know I have to be careful to include all current
domain admins, but are there any other hidden security principals that need
to go into the policy? Is there a better way to lock these groups down?
If the permissions you delegated were restricted to the ability to create,
delete, and modify users within the OU, your Help desk employee won't be able
to add or remove those users from high-privilege groups. You must have write
access to the members property of the group you are modifying to change group
membership. Also note that you use Restricted Groups to manage the membership
of local groups in the SAMs of member servers and workstations in the domain;
you can't use it to manage domain groups in Active Directory (AD). 50462