Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 755
  • Last Modified:

Locking down an OU in AD Windows 2008 Server

Hello,

I am managing an AD Windows 2008 Forest with multiple domains and we've just acquired another company. Because of compliancy and security crap from auditors I have to come up with a way to integrate this new company into my Forest. Management mentioned that they can sell the idea to the security auditors of creating an OU and putting the users of the different company in there and locking that OU down so that they are not able to do anything at the root of the Forest.

Tacobell2000
0
Tacobell2000
Asked:
Tacobell2000
  • 3
  • 3
  • 3
2 Solutions
 
Darius GhassemCommented:
What security provisions do you want to put in? You apply Group Policies to stop them from doing functions but it depends on what you want to restrict.
0
 
Mike ThomasConsultantCommented:
A forrest, domain or OU can in theory operate as a security boundry but domain users won't be able to do much unless they are granted permissions to do so anyways but as darius said, some more info is required. Of course if you granted or left default permissions for domain users or authenticated users to recoursces you have to undo that to be able to restrict things.

0
 
Tacobell2000Author Commented:
ok....i just want these users (integrated company) to have their own OU and to be able to manage their OU only. I do not want them to modify anything else just their OU.
Does this make sense?

Tacobell2000
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
Mike ThomasConsultantCommented:
That's fine that can be done, stick them all in an OU, add any admins into a group you create called say "other company admins" then when selecting advanced view in AD U&C select the security tab on that OU, then properties and give "other company admns" full contro,l they will in effect be domain admin but just for that group and nothing else.






0
 
Mike ThomasConsultantCommented:
You could alos delegate to them by right clicking the OU and slecting that option and running thruough the wizard but that might be too restrictive for admins AND IMO causes too much bad feeling and mistrust without reason.




0
 
Darius GhassemCommented:
That does make sense you can use delegation with AD to give them access to their own OU and to manage the OU.

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 
Tacobell2000Author Commented:
Just curious....how about creating a child domain and let them have whatever control they want on the newly created domain and restricting them at the forest level.....will that work?

Tacobell2000
0
 
Tacobell2000Author Commented:
Also....how about creating a new forest and creating trusts between them....that would probably be the way to go....since domains are not security boundaries.
0
 
Darius GhassemCommented:
You can create a  new tree within your current forest if you want to do that.
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 3
  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now