Link to home
Start Free TrialLog in
Avatar of Tacobell2000
Tacobell2000Flag for Canada

asked on

Locking down an OU in AD Windows 2008 Server

Hello,

I am managing an AD Windows 2008 Forest with multiple domains and we've just acquired another company. Because of compliancy and security crap from auditors I have to come up with a way to integrate this new company into my Forest. Management mentioned that they can sell the idea to the security auditors of creating an OU and putting the users of the different company in there and locking that OU down so that they are not able to do anything at the root of the Forest.

Tacobell2000
Avatar of Darius Ghassem
Darius Ghassem
Flag of United States of America image

What security provisions do you want to put in? You apply Group Policies to stop them from doing functions but it depends on what you want to restrict.
A forrest, domain or OU can in theory operate as a security boundry but domain users won't be able to do much unless they are granted permissions to do so anyways but as darius said, some more info is required. Of course if you granted or left default permissions for domain users or authenticated users to recoursces you have to undo that to be able to restrict things.

Avatar of Tacobell2000

ASKER

ok....i just want these users (integrated company) to have their own OU and to be able to manage their OU only. I do not want them to modify anything else just their OU.
Does this make sense?

Tacobell2000
ASKER CERTIFIED SOLUTION
Avatar of Mike Thomas
Mike Thomas
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
You could alos delegate to them by right clicking the OU and slecting that option and running thruough the wizard but that might be too restrictive for admins AND IMO causes too much bad feeling and mistrust without reason.




SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Just curious....how about creating a child domain and let them have whatever control they want on the newly created domain and restricting them at the forest level.....will that work?

Tacobell2000
Also....how about creating a new forest and creating trusts between them....that would probably be the way to go....since domains are not security boundaries.
You can create a  new tree within your current forest if you want to do that.