Problem solve Get help with specific problems with your technologies, process and projects.

Locking AD OU structure

What specific permissions do I need to set to keep delegated Administrators from accidentally deleting or moving my OU structure? These are not Domain Admins. We have given them rights to fully administer or create objects within their OU only. I need to lock down the structure without taking away their ability to administer the OU.
The easiest way is to use the delegation wizard. This allows you to give the permissions to create and delete users and groups. Using this method prevents them from being able to adjust the OU's. Here are the permissions:

Full control applied to Group Objects
Create/Delete Group Objects applied to this object (OU they manage) and child objects
Full control applied to user objects
Create/Delete User Objects applied to this object (Ou the manage) and child objects

They will be able to add/delete users and groups, change group memberships, reset passwords, etc. They will NOT be able to delegate permissions on the OU, add/delete any OU or child OU.

Dig Deeper on Windows systems and network management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.