We are trying to apply the permission "allow add/remove self" to a number of groups that reside in an organizational
unit (OU). When I view the permissions of one of the groups, the permission "add/remove self" is visible. Also, I can apply this permission to all the groups in that OU. However, when we view the permissions of the OU in which all the groups reside, the permission is not visible. We understand that this is because the OU is not a group, so it does not have this property -- hence, it cannot be defined. We would like to apply the permissions to the whole OU so that any new groups created will inherit this permission. Is this possible?
Through traditionally means, I would say no. However, if you were to alter the method by which you create groups, you could perform the function programmatically. Many companies use scripts to put user changes into a file or database first and then process them all at once. If you did this, then you would have control over how they got created. Also, if you really wanted to go to the next level, you could use third-party software like Trusted Enterprise Manager (TEM) to create additional control over users and groups.
Dig deeper on Microsoft Active Directory Design and Administration
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.