Applying permissions to an Active Directory OU

Learn to troubleshoot issues with assigning permissions to groups in an organizational unit.

We are trying to apply the permission "allow add/remove self" to a number of groups that reside in an organizational...

unit (OU). When I view the permissions of one of the groups, the permission "add/remove self" is visible. Also, I can apply this permission to all the groups in that OU. However, when we view the permissions of the OU in which all the groups reside, the permission is not visible. We understand that this is because the OU is not a group, so it does not have this property -- hence, it cannot be defined. We would like to apply the permissions to the whole OU so that any new groups created will inherit this permission. Is this possible?

Through traditionally means, I would say no. However, if you were to alter the method by which you create groups, you could perform the function programmatically. Many companies use scripts to put user changes into a file or database first and then process them all at once. If you did this, then you would have control over how they got created. Also, if you really wanted to go to the next level, you could use third-party software like Trusted Enterprise Manager (TEM) to create additional control over users and groups.

This was first published in October 2003

Dig Deeper on Microsoft Active Directory Design and Administration



Find more PRO+ content and other member only offers, here.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: