[Last Call] Learn how to a build a cloud-first strategyRegister Now


How can i restrict helpdesk staff from deleting,renaming or moving an OU?

Posted on 2007-09-29
Medium Priority
Last Modified: 2012-06-21
In our AD environment , the helpdesk staff have rights to manage both OUs and user accounts. We want to restrict their rights to user accounts alone. They shuld not be able to delete,rename, move an OU. while they should be able to do all these operations in user accounts. We cannot use the built in group "account operators" for this purpose as we do not have rights to add users to this group. Can restrict the rights by setting permissions in OU . If so what all permissions need to be set? Kindly advice
Question by:shijitvm
LVL 70

Expert Comment

ID: 19983743
Do not give them domain admin rights!
You can create a new group and then use the delegation of control wizard to assign the necessary permissions to the group. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

Author Comment

ID: 19984215
They are by default present in a group which have full rights to manage OUs and user accounts.Hence we cannot use deletagate control wizard. If we remove them from the default group they will not be able to login to AD.so we need to set deny permissions in OU that will override the default permissions. I want to know what exactly are the permissiosn to be set. Can anyone help
LVL 30

Expert Comment

ID: 19985888
> "They are by default present in a group which have full rights to manage OUs and user accounts."

Then you need to change that "default" setting, since iwhat you are describing is a default within your organization and not a requirement of Active Directory.

> "If we remove them from the default group they will not be able to login to AD."

Again, this is a function of how Active Directory is configured within your organization, not a default setting of Active Directory.  Any user with valid Active Directory credentials can "login to AD"; if you have changed or restricted settings in some way then you need to define what those settings are so that they can be controlled and modified as needed.

If you want your help desk to only have rights to manage user accounts, you can use the Delegation of Control wizard to delegate permissions to only user objects within one or more OUs - delegate a custom task and allow Full Control permissions over user object only.

Accepted Solution

shijitvm earned 0 total points
ID: 20072714

Thanks for all those who resonded to the query.

However none of the responses was useful to me as the AD set up in our environment is different. I cannot change the default settings as LauraEHunterMVP mentioned because i do not have the rights for the same. Hence i had found a solution that can be implemented with the rights that i have. The following steps were done:

Right click on OU and select properties->security. Click Add and give the user/groups for which OU management should be restricted

After the user/ Groups are added click on advanced tab .In the Advanced security settings ,select the group that is added and edit the permissions

In the apply onto tab select organizational unit objects. From there denied permissions for deleting, creating, modifying OUs

Now the rights on OU are restricted as per the  requirement


Expert Comment

ID: 20099722
Closed, 125 points refunded.
Community Support Moderator

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question