How can i restrict helpdesk staff from deleting,renaming or moving an OU?

In our AD environment , the helpdesk staff have rights to manage both OUs and user accounts. We want to restrict their rights to user accounts alone. They shuld not be able to delete,rename, move an OU. while they should be able to do all these operations in user accounts. We cannot use the built in group "account operators" for this purpose as we do not have rights to add users to this group. Can restrict the rights by setting permissions in OU . If so what all permissions need to be set? Kindly advice
Who is Participating?
shijitvmConnect With a Mentor Author Commented:

Thanks for all those who resonded to the query.

However none of the responses was useful to me as the AD set up in our environment is different. I cannot change the default settings as LauraEHunterMVP mentioned because i do not have the rights for the same. Hence i had found a solution that can be implemented with the rights that i have. The following steps were done:

Right click on OU and select properties->security. Click Add and give the user/groups for which OU management should be restricted

After the user/ Groups are added click on advanced tab .In the Advanced security settings ,select the group that is added and edit the permissions

In the apply onto tab select organizational unit objects. From there denied permissions for deleting, creating, modifying OUs

Now the rights on OU are restricted as per the  requirement

Brian PiercePhotographerCommented:
Do not give them domain admin rights!
You can create a new group and then use the delegation of control wizard to assign the necessary permissions to the group. See
shijitvmAuthor Commented:
They are by default present in a group which have full rights to manage OUs and user accounts.Hence we cannot use deletagate control wizard. If we remove them from the default group they will not be able to login to we need to set deny permissions in OU that will override the default permissions. I want to know what exactly are the permissiosn to be set. Can anyone help
> "They are by default present in a group which have full rights to manage OUs and user accounts."

Then you need to change that "default" setting, since iwhat you are describing is a default within your organization and not a requirement of Active Directory.

> "If we remove them from the default group they will not be able to login to AD."

Again, this is a function of how Active Directory is configured within your organization, not a default setting of Active Directory.  Any user with valid Active Directory credentials can "login to AD"; if you have changed or restricted settings in some way then you need to define what those settings are so that they can be controlled and modified as needed.

If you want your help desk to only have rights to manage user accounts, you can use the Delegation of Control wizard to delegate permissions to only user objects within one or more OUs - delegate a custom task and allow Full Control permissions over user object only.
Closed, 125 points refunded.
Community Support Moderator
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.