[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now


Delegate control of an OU

Posted on 2003-12-11
Medium Priority
Last Modified: 2010-02-01
Hi all,
I want to create several OU's. I need to then create an account that has the rights to add/remove computers. Reset or change passwords. I have looked at the delegation wizard but I am not sure this is what I want to do. Also when you add a machine to the domain the default location is the computers OU. Is there a way to associate who is adding the computer account to only go to the OU they have control over. This way I wouldn't have to check the default location and move computer accounts every morning.
Thanks for your help I love this web site.

Question by:RyanFair
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
LVL 57

Accepted Solution

Pete Long earned 750 total points
ID: 9920727
Hi RyanFair,
One of Active Directory's (AD's) many benefits is that it’s easy for the network administrator to set up an administrator to manage a specific organizational unit (OU). If you haven’t already organized your users into OUs, consider doing so to make your network more manageable. When a client company has multiple office locations, I typically set up an OU for each office. In general, I prefer an AD design that's broad and shallow as opposed to narrow and deep. An OU administrator will have all the rights that the Administrator has, except the OU administrator will have those rights only for the designated OU. Complete the following steps to create an OU administrator on your network.
1. Create the OU (if you haven’t already done so)—Click Start, Programs, Administrative Tools, Active Directory Users and Computers to open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the domain (or desired location) and select New, Organizational Unit. I suggest establishing a naming convention for your OUs and anything else you create in AD.
2. Move Users to the new OU—As you know, new users are created in the Users container by default. If you already have users created in the Users container, you can move any of these users to the new OU. To do so, simply right-click the user, select Move, then select the desired OU. You can move multiple users at the same time by using Ctrl+click to select the appropriate users, then drag the selected users into the desired OU.
3. Create an OU Administrator User—Start Active Directory Users and Computers. Create a new user in the desired OU, and assign a password.
4. Create an OU Administrators Group in the OU—After doing so, make the OU administrator a member of that group. This approach follows the best practice of assigning rights to a group rather than an individual, then making the user a member of the group. This setup makes future management of the network easier. For example, if you need to grant an existing user OU administrator rights, you can simply make the user a member of the OU Administrators Group, rather than assign the rights individually. If you have a software vendor that must have administrator rights to the OU, you can create a temporary account and password, then add the vendor's account to OU Administrators Group. After the vendor completes the software installation, you can delete the account. This strategy lets the vendor install the software without giving away any administrator passwords. To create the OU Administrators Group, right-click the OU and select New, Group. Make sure to add the user you created in Step 3 to the group you just created.
5. Delegate control of the OU—Start Active Directory Users and Computers. Right-click the desired OU and select Delegate Control. Add the group you created in step 4, and grant the group the appropriate rights for the OU.
6. Delegate control of the Exchange OU—If you're running Microsoft Exchange Server 2000 or later, start the Exchange System Manager (ESM). Open the desired Administrative Group, right-click the group you created in Step 4, and select Delegate Control. Select the desired level of control; typically I set the delegated rights to Exchange Administrator. This approach will let members in the group created in Step 4 act as an Exchange Administrator for users located in a specific Exchange Administrative Group.
7. Grant the Log on Locally right to the domain controller (DC)—This step is necessary if you want to let a user log on to a server acting as a DC. In Active Directory Users and Computers, right-click the Domain Controllers OU. Select Properties, Group Policy, then select the Default Domain Controllers Policy and click Edit. Select Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Log on Locally. Add the group you created in Step 4 to grant the Log on Locally right. Alternatively, you can install the Exchange System Administrator program (AdminPak.msi) on a workstation. To install the program, run setup from the Exchange Server 2003 or Exchange 2000 installation CD-ROM.
8. Refresh the machine policy—For Windows Server 2003 servers, open a command prompt and type


For Windows 2000 servers, type

secedit /refreshpolicy machine_policy

9. Grant Win2K Server Terminal Services rights—Are you running Terminal Services in remote administration mode? If you want the local administrator to have Terminal Services Administrator access, click Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click RDP-Tcp and select Properties. Click the Permissions tab and select the desired rights for the OU Administrators Group. Of course, you first must install the Terminal Services client on the workstation.

That’s it! After completing these steps, you’re well on your way to making your network easier to manage and more secure.

LVL 57

Expert Comment

by:Pete Long
ID: 9921254

Expert Comment

ID: 13322420
I'd like to know how to block the view of the entire AD, i just want to see the delegated ou's. and to exclude groups and users in other ou's
you can see the complete AD when moving users to sub ou or when using find. even when you're using task view.

Featured Post


Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question