What specific permissions do I need to set to keep delegated Administrators from accidentally deleting or moving my OU structure? These are not Domain Admins. We have given them rights to fully administer or create objects within their OU only. I need to lock down the structure without taking away their ability to administer the OU.
The easiest way is to use the delegation wizard. This allows you to give the permissions to create and delete users and groups. Using this method prevents them from being able to adjust the OU's. Here are the permissions:
Full control applied to Group Objects
Create/Delete Group Objects applied to this object (OU they manage) and child objects
Full control applied to user objects
Create/Delete User Objects applied to this object (Ou the manage) and child objects
They will be able to add/delete users and groups, change group memberships, reset passwords, etc. They will NOT be able to delegate permissions on the OU, add/delete any OU or child OU.
This was first published in May 2004