Solved

Locking down an OU in AD Windows 2008 Server

Posted on 2010-08-26
9
737 Views
Last Modified: 2012-05-10
Hello,

I am managing an AD Windows 2008 Forest with multiple domains and we've just acquired another company. Because of compliancy and security crap from auditors I have to come up with a way to integrate this new company into my Forest. Management mentioned that they can sell the idea to the security auditors of creating an OU and putting the users of the different company in there and locking that OU down so that they are not able to do anything at the root of the Forest.

Tacobell2000
0
Comment
Question by:Tacobell2000
  • 3
  • 3
  • 3
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
What security provisions do you want to put in? You apply Group Policies to stop them from doing functions but it depends on what you want to restrict.
0
 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
A forrest, domain or OU can in theory operate as a security boundry but domain users won't be able to do much unless they are granted permissions to do so anyways but as darius said, some more info is required. Of course if you granted or left default permissions for domain users or authenticated users to recoursces you have to undo that to be able to restrict things.

0
 

Author Comment

by:Tacobell2000
Comment Utility
ok....i just want these users (integrated company) to have their own OU and to be able to manage their OU only. I do not want them to modify anything else just their OU.
Does this make sense?

Tacobell2000
0
 
LVL 24

Accepted Solution

by:
MojoTech earned 250 total points
Comment Utility
That's fine that can be done, stick them all in an OU, add any admins into a group you create called say "other company admins" then when selecting advanced view in AD U&C select the security tab on that OU, then properties and give "other company admns" full contro,l they will in effect be domain admin but just for that group and nothing else.






0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 24

Expert Comment

by:MojoTech
Comment Utility
You could alos delegate to them by right clicking the OU and slecting that option and running thruough the wizard but that might be too restrictive for admins AND IMO causes too much bad feeling and mistrust without reason.




0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 250 total points
Comment Utility
That does make sense you can use delegation with AD to give them access to their own OU and to manage the OU.

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:Tacobell2000
Comment Utility
Just curious....how about creating a child domain and let them have whatever control they want on the newly created domain and restricting them at the forest level.....will that work?

Tacobell2000
0
 

Author Comment

by:Tacobell2000
Comment Utility
Also....how about creating a new forest and creating trusts between them....that would probably be the way to go....since domains are not security boundaries.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
Comment Utility
You can create a  new tree within your current forest if you want to do that.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Join & Write a Comment

To effectively work with Diskpart on a Server Core, it is necessary to write some small batch script's, because you can't execute diskpart in a remote powershell session. To get startet, place the Diskpart batch script's into a share on your loca…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now