Summary: This article contains step-by-step instructions on how to allow membership changes only for groups located in the Admin Unit scope and Additional scopes.
Applies to: 7.2.x and later
In Cayosoft Administrator, when you delegate access to a User Properties web action Member Of tab or to Add to Groups web action, the delegated user would be able to remove any group from the Member Of list.
If you have a set of Active Directory groups that are managed centrally and you do not want to delegate Admin Unit administrators permission to remove accounts from these groups, you can restrict that access further by changing the Allow membership changes for these groups setting on User Properties or Add to Groups web actions. In this case, delegated administrators will be able to change membership only for groups located in the Admin Units scope:
- In Admin Console navigate to User Properties or Add to Groups web actions.
- Open More Options section.
- Set the Allow membership changes for these groups to Only groups located in the Admin Unit scope and Additional Scopes. You might also need to set the Additional Scopes setting on the AD Users web query. See the AD Users web query article for details.
- Save Changes.