I am in a large organization with multiple domains in a forest and lots of OUs in each domain. The domain admins delegate administration of the OUs to IT personnel that work in the OU. I am one of those IT people. I can create and delete sub-OUs in our OU, we've been assigned the ability to manage GPOs that apply to us. etc. We have geographically separated groups that we've created separate sub-OUs for and delegated the ability to manage those OUs to personnel there.
At one of those sites, we have a group with full control of the OU they are in, but we are not able to modify any groups they have created. For instance, if I wanted to add an account to a group in the OU, I do not have that ability, even though I have full control of the OU it is in. I realize the security group has a list of ACEs in the security tab and I'm not granted permissions there.
Is there a way I can force a group of my choice to be added to the ACE list on all security groups under our OU?
In your Active Directory User and Computer snipplet first select to show the advanced feature.
After that right click the group you want to change the ACE and after it's like NTFS ACE. In the minimum you can select to propagate the parent security, as you don't have access I guess the parent security didn't applied on it.
You can delegate a group of your choice "read/write members" permission from the properties tab of the top-level OU advanced security to "Decendant Group Objects". This will inherit down to all group objects in all OUs below that level and allow members of your group the ability to change group membership.
Your next problem is verifying inheritance is enabled on all those group objects.
What you really need is a clearly defined delegation model for Active Directory. Standardizing the OU structure is important to the implementation of this delegation model. Things can get very confusing very fast in AD when you go around adding one-off permissions like this. As a best practice, AD permissions should be locked down, standardized, and only delegated to security groups.