Our organization went through a recent change with security measures and I have a requirement, wondering if it could be implemented.
So, our team (let's say Jim, Tim, Johnny, Sonny and Mary) are managing domains for customers (1,2,3,4,5,6,7). How we do it now, is create users under that OU and create security groups and give the users access through the security group to that respective customer environment. Something like this
As more customers come in (8,9,10), we would be creating such Security Groups and adding the required users. What I want to achieve is only Jim and Tim can manage the Cust 3 and Cust 4 Security Groups (SGs) for adding removing users within those SGs, while retaining the ability to also modify Cust 1,2,5,6,7 and creating/modifying Cust 8,9,10 SGs etc. They would be like super admins (don't know if that even a term in Windows AD). Now Johnny, Sonny and Mary would retain the ability to modify Cust 1,2,5,6,7 and subsequently also add Cust 8,9,10 if need arises, but they should have absolutely no rights to modify Cust 3 and 4. They may have read/view rights at max.
The naming convention we usually follow to create SGs are [Cloud]-[Customer]-[Access]. Is it possible to achieve this with creating some sort of role or GPO that does a regex pattern search and limit the said resources.
Currently all of us are Domain Admins. I probably have to create one more container and put Johnny, Sonny and Mary as part of that while Jim and Tim and listed as domain admins. Idk, just trying to think out loud.
Short answer: no. As all object ressources are managed by their (GU)IDs instead of (probably changing and internationally different) strings, regex wouldn't make any sense.
Equally short answer: No. There is no need for such a thing, because Windows has ACLs for almost everything. Which indeed will not prohibit calling your groups whatever you want.
Remembers me of a customers site which had "admins", "admin_admins", "super_admins", "universal_admins" and "universal_admin_admins". Good times.
Possible soloutions could be placing the different groups in different OUs with said ACLs attached to them or just create/manage those groups using powershell (which can do regex and a bunch of other helpful stuff).