Problem solve Get help with specific problems with your technologies, process and projects.

Applying permissions to an Active Directory OU

Learn to troubleshoot issues with assigning permissions to groups in an organizational unit.

We are trying to apply the permission "allow add/remove self" to a number of groups that reside in an organizational unit (OU). When I view the permissions of one of the groups, the permission "add/remove self" is visible. Also, I can apply this permission to all the groups in that OU. However, when we view the permissions of the OU in which all the groups reside, the permission is not visible. We understand that this is because the OU is not a group, so it does not have this property -- hence, it cannot be defined. We would like to apply the permissions to the whole OU so that any new groups created will inherit this permission. Is this possible?

Through traditionally means, I would say no. However, if you were to alter the method by which you create groups, you could perform the function programmatically. Many companies use scripts to put user changes into a file or database first and then process them all at once. If you did this, then you would have control over how they got created. Also, if you really wanted to go to the next level, you could use third-party software like Trusted Enterprise Manager (TEM) to create additional control over users and groups.

Dig Deeper on Windows systems and network management