Ask the Expert

Locking AD OU structure

What specific permissions do I need to set to keep delegated Administrators from accidentally deleting or moving my OU structure? These are not Domain Admins. We have given them rights to fully administer or create objects within their OU only. I need to lock down the structure without taking away their ability to administer the OU.

Requires Free Membership to View

The easiest way is to use the delegation wizard. This allows you to give the permissions to create and delete users and groups. Using this method prevents them from being able to adjust the OU's. Here are the permissions:

Full control applied to Group Objects
Create/Delete Group Objects applied to this object (OU they manage) and child objects
Full control applied to user objects
Create/Delete User Objects applied to this object (Ou the manage) and child objects

They will be able to add/delete users and groups, change group memberships, reset passwords, etc. They will NOT be able to delegate permissions on the OU, add/delete any OU or child OU.

This was first published in May 2004

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: