Solved

How do I let admins only delete the OUs they created?

Posted on 2007-04-03
2
190 Views
Last Modified: 2013-12-04
Hi
I'm trying to get a controlled AD designed & implemented, but I'm running into a few problems with delete rights in a Windows 2003 AD.

My situation is this: Each physical branch office is going to relate to an OU in the AD. There will be a parent OU, lets call it MASTER, with an OU for each branch office, so let's say OU1, OU2, OU3, and OU4. That's the default set of OUs each branch will receive. I want to delegate so that the each branch admin can, if they so desire, either create more new OUs directly in the branch OU, or create more new OUs in one of either OU1, OU2, OU3, or OU4. I want them to be able to delete whatever they have created themselves, but I **DONT** want them to create any of the defaut set (OU1/2/3/4). I've tried assigning various permutations, such as allowing full control on the branch OU, but explicit deny permissions on the standard OU set, but nothing seems to work because of the way Windows 2003 processes the inherited vs explicit permissions set.

Its proving very annoying!

Thanks for your help
0
Comment
Question by:tbennett35
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 30

Accepted Solution

by:
LauraEHunterMVP earned 250 total points
ID: 18843677
Go to the Properties tab of OU1, OU2, OU3, OU4. Click Advanced from the Security tab and look for the option to configure security settings that apply to "Child objects only" - this will confer rights to create objects underneath Ou1/2/3/4 without the user having rights to modify or delete the OU itself.  You'll have to do this 4 times, once for each of ou1/2/3/4.

Hope this helps.

Laura E. Hunter - Microsoft MVP: Windows Server - Networking
0
 

Author Comment

by:tbennett35
ID: 18843955
Laura Hunter...well well well...I bought your book!

Got to hand it to you...that must probably be about the only thing I didn't try, because I was ripping my hair out yesterday! It worked a treat!
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question