Solved

Is it possible to restrict the Class of Objects created in an OU

Posted on 2014-04-04
5
262 Views
Last Modified: 2014-05-24
I am currently engaged in designing an OU for an organisation with very few staff. Their old Domain became unamanagable as objects where created invarious ous with no pattern.
I have created certain OU's for groups, Staff, desktops\laptops and Servers.
I would like at the very least restrict the object class created in these OUs eg Staff OU - Only user objects can be created in it.

The Domain is an 2012 R2 Domain.

Thanks in adavance for your help
0
Comment
Question by:ukpowo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39978286
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39978484
By default when you create standard user account, it do not have any permissions to create any type of object in active directory

Hence when you delegate user on OU to create \ delete particular objects, it can create only that objects

However this rule is not applicable to high privileged accounts such as domain admins

Mahesh.
0
 

Accepted Solution

by:
ukpowo earned 0 total points
ID: 40067358
The suggestions above do not address the core question.  My requirement is to restrict within a specific OU the creation of a specific object type. For example in the "Users" OU I require that only User Objects can be created in that OU by anyone inclusive of Domain Admins.
My proposed solution is to re-acl the security in the OU by ...

i.     Make Enterprise Admins Owners of All OU. This allows only Enterprise Admins to have ability to change OU acl's.
ii.    Remove Domain Admins from acl.
iii.   Remove all security Principals from OU acl with more than read permissions. Exceptions below.
iv.   Exceptions to iii above are
       a. Enterprise Domain Controllers - Read
       b. Authenticated Users - Read
       c. SYSTEM - Full Control
       d. Pre-Windows 2000 Compatibility Access
       e. Administrators - Special
       f.  Self.
v.    Add Security Group 1 with privilege to Create User Object.
vi.   Add Security Group 2 with privilege to Modify User Object.
vii.  Add Security Group 3 with privilege to Delete User Object.

I am going to implement this in my Test Lab and see if it works.
0
 
LVL 37

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40068125
You can do what you are trying to do with pleasure and it works well for normal accounts but still you can't restrict domain admins
Do not forget  that domain admins has most powerful security group in active directory and even if you revoke its permissions from any OU, once the user having domain admins logged on to DC, it can add domain admins \ its own ID again on OU acl with full control and all your efforts will be remain night mare.
If you don't believe me, just try to do that

According to me you cannot block domain admins from doing any things..
This is by design to avoid any active directory ACL malfunction

The only best way I can see is to delegate required users \ groups with required granular permissions as my earlier comment.

Mahesh.
0
 

Author Closing Comment

by:ukpowo
ID: 40088110
My solution fits specific requirements of problem.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick Powershell script I wrote to find old program installations and check versions of a specific file across the network.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question