• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 275
  • Last Modified:

Is it possible to restrict the Class of Objects created in an OU

I am currently engaged in designing an OU for an organisation with very few staff. Their old Domain became unamanagable as objects where created invarious ous with no pattern.
I have created certain OU's for groups, Staff, desktops\laptops and Servers.
I would like at the very least restrict the object class created in these OUs eg Staff OU - Only user objects can be created in it.

The Domain is an 2012 R2 Domain.

Thanks in adavance for your help
0
ukpowo
Asked:
ukpowo
  • 2
  • 2
2 Solutions
 
Brad BouchardInformation Systems Security OfficerCommented:
0
 
MaheshArchitectCommented:
By default when you create standard user account, it do not have any permissions to create any type of object in active directory

Hence when you delegate user on OU to create \ delete particular objects, it can create only that objects

However this rule is not applicable to high privileged accounts such as domain admins

Mahesh.
0
 
ukpowoAuthor Commented:
The suggestions above do not address the core question.  My requirement is to restrict within a specific OU the creation of a specific object type. For example in the "Users" OU I require that only User Objects can be created in that OU by anyone inclusive of Domain Admins.
My proposed solution is to re-acl the security in the OU by ...

i.     Make Enterprise Admins Owners of All OU. This allows only Enterprise Admins to have ability to change OU acl's.
ii.    Remove Domain Admins from acl.
iii.   Remove all security Principals from OU acl with more than read permissions. Exceptions below.
iv.   Exceptions to iii above are
       a. Enterprise Domain Controllers - Read
       b. Authenticated Users - Read
       c. SYSTEM - Full Control
       d. Pre-Windows 2000 Compatibility Access
       e. Administrators - Special
       f.  Self.
v.    Add Security Group 1 with privilege to Create User Object.
vi.   Add Security Group 2 with privilege to Modify User Object.
vii.  Add Security Group 3 with privilege to Delete User Object.

I am going to implement this in my Test Lab and see if it works.
0
 
MaheshArchitectCommented:
You can do what you are trying to do with pleasure and it works well for normal accounts but still you can't restrict domain admins
Do not forget  that domain admins has most powerful security group in active directory and even if you revoke its permissions from any OU, once the user having domain admins logged on to DC, it can add domain admins \ its own ID again on OU acl with full control and all your efforts will be remain night mare.
If you don't believe me, just try to do that

According to me you cannot block domain admins from doing any things..
This is by design to avoid any active directory ACL malfunction

The only best way I can see is to delegate required users \ groups with required granular permissions as my earlier comment.

Mahesh.
0
 
ukpowoAuthor Commented:
My solution fits specific requirements of problem.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now