Active Directory Permission Group Issue

Our organization has a group of Service Techs that are allowed to reset passwords, add computers to the domain, Make changes within their own OU but not other OU's. I am trying to set it so the service techs are not allowed to Create or Delete users but do everything else with in their own OU. Any suggestions on specific deny's?
Who is Participating?
mteskeConnect With a Mentor Commented:
Right click on the OU, select Delegate control, specify the Tech group and you can basically give them any permission needed to perform their can get as finite as just allowing them to simply change fax numbers...of course, this is a wizard...

mdiglioConnect With a Mentor Commented:

This will make more sense after you step through it once.

Open AD Users and Computers > click view > make sure 'Advanced Features' is checked
Right click on the OU > properties >  'security' tab > 'advanced' button.
Now locate the Tech Group and edit the listing that gives them the create ability.

You can give them the deny permission for creating user accounts like you said
or you can remove the create permission and that should be enough
rpartingtonConnect With a Mentor Commented:
Same as the 2 above for a similar query amy help you understand it.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.