Active Directory OU Special Permissions

Hello kam_uk,

What permissions? do you mean delegated permissions?


There are times when you want to give a particular user/group, rights to do mundane tasks
like unlock accounts reset passwords etc but you DONT (for obvious reasons) want to put
them in the domain admins group. The simplest solution is to put the users into the "account
operators" group, the drawback of this is they then have those rights across the ENTIRE DOMAIN.

A more practical solution is to use the built in delegation of control wizard, for example
if your finance department want a user or group of users to be able to manage THEIR user
accounts only then simply create a finance OU (organisational Unit) in active directory
(in AD users and computers > right click [yourdomain] > new > Organisational unit)

Move the user objects into this OU (select the user(s) right click >move)

Decide weather its an individual user you want to grant rights to or a group of users. If
its a group create a group (in the OU you created) and put in the users who need the rights.

Now simply right click the new OU and select "Delegate control" follow the on screen wizard
and give the appropriate rights to the group or user.

Delegation of Control
http://www.windowsitpro.com/SmallBusinessCenter/Article/ArticleID/22555/SmallBusinessCenter_22555.html

Step-by-Step Guide to Using the Delegation of Control Wizard
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/directory/activedirectory/stepbystep/ctrlwiz.mspx

Regards,

PeteLong

Hi Pete

Sorry, I mean Security Permissions on the container!

Any idea?

Do I need to copy all the relevant Security permissions manually and apply them on the other container?

why do you need custom permissions on the OU what are you trying to achieve?

Just copy them across...one group has special permission applied to an OU, i need to have the same special permissions applied to another group