Manage/Set Permissions in Active Directory via PHP LDAP

Question

Within my PHP LDAP code, I'm able to go in and create OU's (organizationalUnits), Groups, as well as Users within Active Directory. I can even go in and add Users to groups.

Now, I need to set security permissions for a specific OU that will allow other groups to have certain permissions such as: Read Members and Write Members. Within Active Directory this is done by right-clicking on the OU -> Properties -> Security -> Advanced and then adding a specific group with the permissions you want.

The purpose of this is to allow for Users associated with a particular Group to have permissions to add new Users within the OU, add Users to Groups, etc. Basically administer the OU on behalf of the domain/server Admin. In other words, when I login as a User that is a member of the group 'Admin', how can I allow that user to then add users to this OU without getting "insufficient access" errors?

My code that adds the OU is this:

$dn = "OU=Groups,OU=TEST1,OU=Clients,DC=EQC,DC=local";
$entry["objectclass"][0] = "top";
$entry["objectclass"][1] = "organizationalUnit";
$entry["OU"] = "Groups";

if( ldap_add($con,$dn, $entry) !== false) {
    echo 'Awesome Sauce! The OU was added.';
} else {
    echo ldap_error($con);
}

How do I manage/set permissions needed to allow the functionality above?

Answer 1

It looks like this is not possible with PHP. However, we were able to create a shell script that runs and check Active Directory for new security groups and then updates the delegation rights.