Q

Locking AD OU structure

What specific permissions do I need to set to keep delegated Administrators from accidentally deleting or moving my OU structure? These are not Domain Admins. We have given them rights to fully administer or create objects within their OU only. I need to lock down the structure without taking away their ability to administer the OU.
The easiest way is to use the delegation wizard. This allows you to give the permissions to create and delete users and groups. Using this method prevents them from being able to adjust the OU's. Here are the permissions:

Full control applied to Group Objects
Create/Delete Group Objects applied to this object (OU they manage) and child objects
Full control applied to user objects
Create/Delete User Objects applied to this object (Ou the manage) and child objects

They will be able to add/delete users and groups, change group memberships, reset passwords, etc. They will NOT be able to delegate permissions on the OU, add/delete any OU or child OU.
This was first published in May 2004

Dig deeper on Microsoft Active Directory

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close