• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5858
  • Last Modified:

Delegate control of an OU

Hi all,
I want to create several OU's. I need to then create an account that has the rights to add/remove computers. Reset or change passwords. I have looked at the delegation wizard but I am not sure this is what I want to do. Also when you add a machine to the domain the default location is the computers OU. Is there a way to associate who is adding the computer account to only go to the OU they have control over. This way I wouldn't have to check the default location and move computer accounts every morning.
Thanks for your help I love this web site.

  • 2
1 Solution
Pete LongTechnical ConsultantCommented:
Hi RyanFair,
One of Active Directory's (AD's) many benefits is that it’s easy for the network administrator to set up an administrator to manage a specific organizational unit (OU). If you haven’t already organized your users into OUs, consider doing so to make your network more manageable. When a client company has multiple office locations, I typically set up an OU for each office. In general, I prefer an AD design that's broad and shallow as opposed to narrow and deep. An OU administrator will have all the rights that the Administrator has, except the OU administrator will have those rights only for the designated OU. Complete the following steps to create an OU administrator on your network.
1. Create the OU (if you haven’t already done so)—Click Start, Programs, Administrative Tools, Active Directory Users and Computers to open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the domain (or desired location) and select New, Organizational Unit. I suggest establishing a naming convention for your OUs and anything else you create in AD.
2. Move Users to the new OU—As you know, new users are created in the Users container by default. If you already have users created in the Users container, you can move any of these users to the new OU. To do so, simply right-click the user, select Move, then select the desired OU. You can move multiple users at the same time by using Ctrl+click to select the appropriate users, then drag the selected users into the desired OU.
3. Create an OU Administrator User—Start Active Directory Users and Computers. Create a new user in the desired OU, and assign a password.
4. Create an OU Administrators Group in the OU—After doing so, make the OU administrator a member of that group. This approach follows the best practice of assigning rights to a group rather than an individual, then making the user a member of the group. This setup makes future management of the network easier. For example, if you need to grant an existing user OU administrator rights, you can simply make the user a member of the OU Administrators Group, rather than assign the rights individually. If you have a software vendor that must have administrator rights to the OU, you can create a temporary account and password, then add the vendor's account to OU Administrators Group. After the vendor completes the software installation, you can delete the account. This strategy lets the vendor install the software without giving away any administrator passwords. To create the OU Administrators Group, right-click the OU and select New, Group. Make sure to add the user you created in Step 3 to the group you just created.
5. Delegate control of the OU—Start Active Directory Users and Computers. Right-click the desired OU and select Delegate Control. Add the group you created in step 4, and grant the group the appropriate rights for the OU.
6. Delegate control of the Exchange OU—If you're running Microsoft Exchange Server 2000 or later, start the Exchange System Manager (ESM). Open the desired Administrative Group, right-click the group you created in Step 4, and select Delegate Control. Select the desired level of control; typically I set the delegated rights to Exchange Administrator. This approach will let members in the group created in Step 4 act as an Exchange Administrator for users located in a specific Exchange Administrative Group.
7. Grant the Log on Locally right to the domain controller (DC)—This step is necessary if you want to let a user log on to a server acting as a DC. In Active Directory Users and Computers, right-click the Domain Controllers OU. Select Properties, Group Policy, then select the Default Domain Controllers Policy and click Edit. Select Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Log on Locally. Add the group you created in Step 4 to grant the Log on Locally right. Alternatively, you can install the Exchange System Administrator program (AdminPak.msi) on a workstation. To install the program, run setup from the Exchange Server 2003 or Exchange 2000 installation CD-ROM.
8. Refresh the machine policy—For Windows Server 2003 servers, open a command prompt and type


For Windows 2000 servers, type

secedit /refreshpolicy machine_policy

9. Grant Win2K Server Terminal Services rights—Are you running Terminal Services in remote administration mode? If you want the local administrator to have Terminal Services Administrator access, click Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click RDP-Tcp and select Properties. Click the Permissions tab and select the desired rights for the OU Administrators Group. Of course, you first must install the Terminal Services client on the workstation.

That’s it! After completing these steps, you’re well on your way to making your network easier to manage and more secure.

Pete LongTechnical ConsultantCommented:
I'd like to know how to block the view of the entire AD, i just want to see the delegated ou's. and to exclude groups and users in other ou's
you can see the complete AD when moving users to sub ou or when using find. even when you're using task view.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now