Group / Distribution List Management –> Managed By Tab, Advanced Permissions, DACLS
2010-04-15 Updated
2008-04-15 Initial Post
Tested on Windows Server 2003 SP2 AD / Exchange Server 2003 SP2
When a user or group is made the manager of a group via the Managed By tab of the group’s properties AND the checkbox for “Manager can update membership list” is selected, the user/group is given permission to add and remove members. If that checkbox is not selected, nothing else really happens other than the user/group’s name showing up as the group manager. If the user/group that is the manager is also mail enabled, viewing the managed group’s properties from Outlook would show the manager’s name as Owner.
The permission that is granted when “Manager can update membership list” is enabled can be viewed by going to the managed group's Security tab. By the selecting the user/group name from there, you’ll see that it was given Special Permissions. If you then click on the Advanced button --> select the user/group from the Permissions entries --> Edit --> Properties tab (Apply onto: This object only should already be selected by default), you’ll see that the user/group was allowed the Write Members permission to the object properties. This needs some clarification, so I'll repeat: the Write Members permission to the group object's property. Members is a property of a group object, so if you can “write” that property, you can modify it.
If you remove the user/group, either through the Security tab or Security --> Advanced button, the check box for “Manager can update membership list” will get deselected as a result. If you uncheck allow Write Members, that too will deselect the check box.
Some things to note:
• The naming of the Write Members permission is misleading because the actual name of the property that stores the group memberships is named member (singular form). So Write Members is just the friendly display name and maps to the member attribute/property. If you use the DACLS command line tool or VBS, you'll need to specify the member property because there's no property named members.
• In order to add a group as manager, after clicking on the Change button, you need to click on the Object Types button and select Groups.
• It can take some time for the RUS to set the permissions after you select “Manager can update membership list."
From http://www.soton.ac.uk on 2008-04-15:
When using the Windows 2000 version of the 'Active Directory Users and Computers' tool, you must use the Security Tab on the properties of the group, as shown below and use the following procedure:
1. Open the Properties of the group and choose the 'Security' tab
2. Click the 'Advanced' button
3. Click 'Add' and enter the userid or name of the user or group to which you wish to give the ability to add members.
4. Change to the 'Properties' tab on the 'Permissions Entry' dialog
5. Ensure that the 'Apply onto:' value in the drop down list at the top of the dialog is set to 'This Object only'
6. Tick the 'Write Members' attribute in the list of possible permissions
7. Click 'OK' or 'Apply' to save the changes and close all the dialog boxes.
The Windows 2003 version of the Active Directory Users and Computers tool makes this process much simpler, because a new option is added to the 'Managed by' tab on the group's Properties. Ticking the 'Manager can update membership list' option automatically sets exactly the same permissions as the procedure outlined above.
If you have many groups to modify permissions on, you can use the DACLS command line tool. See http://www.mail-archive.com and http://support.microsoft.com. I'd suggest using Excel to perform text concatenation and create a command line for each group, then copying all the command lines into a batch file.
