Delegate control of an OU

Hi all,
I want to create several OU's. I need to then create an account that has the rights to add/remove computers. Reset or change passwords. I have looked at the delegation wizard but I am not sure this is what I want to do. Also when you add a machine to the domain the default location is the computers OU. Is there a way to associate who is adding the computer account to only go to the OU they have control over. This way I wouldn't have to check the default location and move computer accounts every morning.
Thanks for your help I love this web site.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pete LongTechnical ConsultantCommented:
Hi RyanFair,
One of Active Directory's (AD's) many benefits is that it’s easy for the network administrator to set up an administrator to manage a specific organizational unit (OU). If you haven’t already organized your users into OUs, consider doing so to make your network more manageable. When a client company has multiple office locations, I typically set up an OU for each office. In general, I prefer an AD design that's broad and shallow as opposed to narrow and deep. An OU administrator will have all the rights that the Administrator has, except the OU administrator will have those rights only for the designated OU. Complete the following steps to create an OU administrator on your network.
1. Create the OU (if you haven’t already done so)—Click Start, Programs, Administrative Tools, Active Directory Users and Computers to open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the domain (or desired location) and select New, Organizational Unit. I suggest establishing a naming convention for your OUs and anything else you create in AD.
2. Move Users to the new OU—As you know, new users are created in the Users container by default. If you already have users created in the Users container, you can move any of these users to the new OU. To do so, simply right-click the user, select Move, then select the desired OU. You can move multiple users at the same time by using Ctrl+click to select the appropriate users, then drag the selected users into the desired OU.
3. Create an OU Administrator User—Start Active Directory Users and Computers. Create a new user in the desired OU, and assign a password.
4. Create an OU Administrators Group in the OU—After doing so, make the OU administrator a member of that group. This approach follows the best practice of assigning rights to a group rather than an individual, then making the user a member of the group. This setup makes future management of the network easier. For example, if you need to grant an existing user OU administrator rights, you can simply make the user a member of the OU Administrators Group, rather than assign the rights individually. If you have a software vendor that must have administrator rights to the OU, you can create a temporary account and password, then add the vendor's account to OU Administrators Group. After the vendor completes the software installation, you can delete the account. This strategy lets the vendor install the software without giving away any administrator passwords. To create the OU Administrators Group, right-click the OU and select New, Group. Make sure to add the user you created in Step 3 to the group you just created.
5. Delegate control of the OU—Start Active Directory Users and Computers. Right-click the desired OU and select Delegate Control. Add the group you created in step 4, and grant the group the appropriate rights for the OU.
6. Delegate control of the Exchange OU—If you're running Microsoft Exchange Server 2000 or later, start the Exchange System Manager (ESM). Open the desired Administrative Group, right-click the group you created in Step 4, and select Delegate Control. Select the desired level of control; typically I set the delegated rights to Exchange Administrator. This approach will let members in the group created in Step 4 act as an Exchange Administrator for users located in a specific Exchange Administrative Group.
7. Grant the Log on Locally right to the domain controller (DC)—This step is necessary if you want to let a user log on to a server acting as a DC. In Active Directory Users and Computers, right-click the Domain Controllers OU. Select Properties, Group Policy, then select the Default Domain Controllers Policy and click Edit. Select Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Log on Locally. Add the group you created in Step 4 to grant the Log on Locally right. Alternatively, you can install the Exchange System Administrator program (AdminPak.msi) on a workstation. To install the program, run setup from the Exchange Server 2003 or Exchange 2000 installation CD-ROM.
8. Refresh the machine policy—For Windows Server 2003 servers, open a command prompt and type


For Windows 2000 servers, type

secedit /refreshpolicy machine_policy

9. Grant Win2K Server Terminal Services rights—Are you running Terminal Services in remote administration mode? If you want the local administrator to have Terminal Services Administrator access, click Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click RDP-Tcp and select Properties. Click the Permissions tab and select the desired rights for the OU Administrators Group. Of course, you first must install the Terminal Services client on the workstation.

That’s it! After completing these steps, you’re well on your way to making your network easier to manage and more secure.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Pete LongTechnical ConsultantCommented:
I'd like to know how to block the view of the entire AD, i just want to see the delegated ou's. and to exclude groups and users in other ou's
you can see the complete AD when moving users to sub ou or when using find. even when you're using task view.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Operating Systems

From novice to tech pro — start learning today.