Solved

Is it possible to restrict the Class of Objects created in an OU

Posted on 2014-04-04
5
251 Views
Last Modified: 2014-05-24
I am currently engaged in designing an OU for an organisation with very few staff. Their old Domain became unamanagable as objects where created invarious ous with no pattern.
I have created certain OU's for groups, Staff, desktops\laptops and Servers.
I would like at the very least restrict the object class created in these OUs eg Staff OU - Only user objects can be created in it.

The Domain is an 2012 R2 Domain.

Thanks in adavance for your help
0
Comment
Question by:ukpowo
  • 2
  • 2
5 Comments
 
LVL 17

Expert Comment

by:Brad Bouchard
ID: 39978286
0
 
LVL 36

Expert Comment

by:Mahesh
ID: 39978484
By default when you create standard user account, it do not have any permissions to create any type of object in active directory

Hence when you delegate user on OU to create \ delete particular objects, it can create only that objects

However this rule is not applicable to high privileged accounts such as domain admins

Mahesh.
0
 

Accepted Solution

by:
ukpowo earned 0 total points
ID: 40067358
The suggestions above do not address the core question.  My requirement is to restrict within a specific OU the creation of a specific object type. For example in the "Users" OU I require that only User Objects can be created in that OU by anyone inclusive of Domain Admins.
My proposed solution is to re-acl the security in the OU by ...

i.     Make Enterprise Admins Owners of All OU. This allows only Enterprise Admins to have ability to change OU acl's.
ii.    Remove Domain Admins from acl.
iii.   Remove all security Principals from OU acl with more than read permissions. Exceptions below.
iv.   Exceptions to iii above are
       a. Enterprise Domain Controllers - Read
       b. Authenticated Users - Read
       c. SYSTEM - Full Control
       d. Pre-Windows 2000 Compatibility Access
       e. Administrators - Special
       f.  Self.
v.    Add Security Group 1 with privilege to Create User Object.
vi.   Add Security Group 2 with privilege to Modify User Object.
vii.  Add Security Group 3 with privilege to Delete User Object.

I am going to implement this in my Test Lab and see if it works.
0
 
LVL 36

Assisted Solution

by:Mahesh
Mahesh earned 500 total points
ID: 40068125
You can do what you are trying to do with pleasure and it works well for normal accounts but still you can't restrict domain admins
Do not forget  that domain admins has most powerful security group in active directory and even if you revoke its permissions from any OU, once the user having domain admins logged on to DC, it can add domain admins \ its own ID again on OU acl with full control and all your efforts will be remain night mare.
If you don't believe me, just try to do that

According to me you cannot block domain admins from doing any things..
This is by design to avoid any active directory ACL malfunction

The only best way I can see is to delegate required users \ groups with required granular permissions as my earlier comment.

Mahesh.
0
 

Author Closing Comment

by:ukpowo
ID: 40088110
My solution fits specific requirements of problem.
0

Featured Post

VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

806 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question