?
Solved

Locking down an OU in AD Windows 2008 Server

Posted on 2010-08-26
9
Medium Priority
?
748 Views
Last Modified: 2012-05-10
Hello,

I am managing an AD Windows 2008 Forest with multiple domains and we've just acquired another company. Because of compliancy and security crap from auditors I have to come up with a way to integrate this new company into my Forest. Management mentioned that they can sell the idea to the security auditors of creating an OU and putting the users of the different company in there and locking that OU down so that they are not able to do anything at the root of the Forest.

Tacobell2000
0
Comment
Question by:Tacobell2000
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 3
9 Comments
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33537418
What security provisions do you want to put in? You apply Group Policies to stop them from doing functions but it depends on what you want to restrict.
0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33537512
A forrest, domain or OU can in theory operate as a security boundry but domain users won't be able to do much unless they are granted permissions to do so anyways but as darius said, some more info is required. Of course if you granted or left default permissions for domain users or authenticated users to recoursces you have to undo that to be able to restrict things.

0
 

Author Comment

by:Tacobell2000
ID: 33537628
ok....i just want these users (integrated company) to have their own OU and to be able to manage their OU only. I do not want them to modify anything else just their OU.
Does this make sense?

Tacobell2000
0
Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

 
LVL 24

Accepted Solution

by:
Mike Thomas earned 1000 total points
ID: 33537665
That's fine that can be done, stick them all in an OU, add any admins into a group you create called say "other company admins" then when selecting advanced view in AD U&C select the security tab on that OU, then properties and give "other company admns" full contro,l they will in effect be domain admin but just for that group and nothing else.






0
 
LVL 24

Expert Comment

by:Mike Thomas
ID: 33537676
You could alos delegate to them by right clicking the OU and slecting that option and running thruough the wizard but that might be too restrictive for admins AND IMO causes too much bad feeling and mistrust without reason.




0
 
LVL 59

Assisted Solution

by:Darius Ghassem
Darius Ghassem earned 1000 total points
ID: 33537733
That does make sense you can use delegation with AD to give them access to their own OU and to manage the OU.

http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html
0
 

Author Comment

by:Tacobell2000
ID: 33543382
Just curious....how about creating a child domain and let them have whatever control they want on the newly created domain and restricting them at the forest level.....will that work?

Tacobell2000
0
 

Author Comment

by:Tacobell2000
ID: 33543483
Also....how about creating a new forest and creating trusts between them....that would probably be the way to go....since domains are not security boundaries.
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 33543504
You can create a  new tree within your current forest if you want to do that.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question