Hello, I'm noticing the following (probably expected behavior) when delegating permissions
Broad Setup givens...
- All users are members of "role" global groups
- All permissions to resources/access are given to "Access" Domain local groups
- All of the Role Groups are in their own OU
- All of the Access Groups are in their own OU
- Role Groups and Access Groups OU are members of the "Domain Users" Parent OU
Direct groups I'm seeing the behavior in givens
- "Domain\Role - IT Operations"
- "Domain\Access - Account Operators"
- "Domain\Role - IT Operations" is a global group which is a member of "Domain\Access - Account Operators"
Delegations already existing
- "Domain\Access - Account Operators" has been delegated (at the Parent OU, "Domain Users") Create/Delete user accounts, Reset user pws, Read all user info
- "Domain\Access - Account Operators" has been delegated (at the Role Groups OU) Modify Membership of a group
Results...
- Since the Role group is a member of the access group to which I'm delegating permissions I can see that every other role group gets the Access group permissions to modify members of the group
- However "Domain\Role - IT Operations" (being a member of the access group to which I'm delegating permission) does not get permissions to modify members of a group
It's a minor inconvienience, but I would like the members of that group to be able to add/remove users from itself. I've replicated the same results in another domain so it does seem to be "working as I designed it" but I don't know why.
Any thoughts?