Hi,
I did some reorganizing our our domain to put all the non-admin, non-help deskusers into their own OU so that I can delegate specific jobs to the Help Desk Groupfor that OU and that OU only. I then delegated to the Help Desk group the ability to a) add a user to that OU and b) reset passwords for users in that OU.
I have had some trouble with delegating to the Help Desk the ability to add/remove users from groups. Instead of futzing with this, I thought I should ask for more specifics here. I have two scenarios:
Scenario A: help desk goes to the user object with this OU, opens the properties for the user and changes group membership there. This does not work. I understand I need to delegate the ability to manage group membership to that OU (one thing to note: I do not want the help desk to be able to add a user to the Domain Admins group).
Scenario B: I have reorganized all the non-admin, non-"system"groups into an OU of their own. That is, for the groups that the users "see" (e.g. "Assistants Group", "HR Committee", "Christmas Party Committee" etc), these have been placed in their own OU. This is because again I only want the Help Desk group to be able to manage these groups. I do not want them to be able to manager our "system" groups like Domain Admins etc. This seems to work intermittently (is some caching going on?). Again would like to know how I should be doing this in case I am slightly wrong.
Thanks for any help!