I am building a self-service group management web-app that will allow users to create and manage groups in our Active Directory under a particular OU.
I have successfully written a PHP application that accomplishes most of this by binding as an admin user and creating new group objects in the appropriate OU, then adding and removing 'member' attributes from the group. To limit management to only groups created by a users I've been setting the 'managedBy' attribute on the group to the DN of the user that created it, then I check for an match on that attribute before allowing users to update the group.
What I want to do to improve this group-management system is to set the appropriate security attributes on the group so that if a user finds a group that they created in Outlook, they can also manage the membership via that program's interface.
- Is it possible to set security attributes on AD groups via LDAP? If so, how?
- If not possible via LDAP, is this possible via a .NET API or another method?
If it is at all possible to set these attributes from PHP that would be ideal, but I'm not wholly against rebuilding the application in .NET if that is required and is reasonably straight-forward to accomplish this task in that environment.