When you hide membership to a distribution list in AD, Everyone is given Deny on reading the members, including Domain Admins. The Account Operators group has an override over this. I want to use Delegate control to give the correct specific permissions to a few people so they can view the hidden membership. I tried using simply read permission on group objects, but that doesn't seem to do the trick. Anyone know specifically what security a users need to override the Deny on Everyone which is set by hiding membership?