How can I give permissions to one account to create/modify/delete OU in Active Directory?

active-directory permissions accounts
85,775

Solution 1

There are two ways you can really do this.

  1. As Above, go into the Active Directory Users And Computers console, create an OU just under your domain that envelops your entire domain, then use the Delegate Control Wizard to provide the permissions to the users or groups as needed. That tool can be found by right clicking the OU in question. For organization reasons generally it is best to create a group and nest all the users in that group that need to administer the OU and groups. This means that you can add and remove users with those permissions quickly without having to further change your base distribution.

  2. Go into the 'View' Menu in Active Directory Users and Computers and enable the 'Advanced Features' option. You can then right-click on your base domain OU or your secondary OU that you create as I suggested above and go into the properties. With the Advanced View on each OU will have it's own security tab now. From there you can go to each security group and granularly alter the permissions on those OUs based on groups or users. If you go into the advanced view in security you can break each permission down into each component and alter them as specifically or as openly as you'd like.

Solution 2

You should always try to delegate tasks in Active Directory based on least-privilege.

For the tasks you wish to delegate, you only need to grant Create Child - User Objects, Create Child - Group Objects and Create-Child Organizational Unit permissions.

To do so, you'll be best off creating an OU immediately under your domain object, creating a group to which to delegate access to, and then grant the above three permissions on the OU using the steps outlined above by Laranostz.

After you have delegated these tasks, you should also make sure that you verify your delegations. For more info how to verify delegations - http://www.activedirsec.com/how_to_verify_delegations.html

There is also a tool that can help verify delegations called "Gold Finger for AD". It was designed by a former Microsoft Security Expert and I believe it is also endorsed by Microsoft.

Disclaimer: I am not affiliated with the vendor of the above mentioned tool. I have used the tool and think highly of it, so I am mentioning it, because it is important to verify delegations.

Solution 3

Have a look at the delegation feature of active directory. I would create an OU in your domain and then delegate at that OU level instead of at the domain level. This will keep your user locked to only creating OUs within this OU. I believe you will have to go in to the advanced permissions part of the delegation wizard.

Share:
85,775

Related videos on Youtube

xabim
Author by

xabim

Updated on September 17, 2022

Comments

  • xabim
    xabim over 1 year

    I have on account and I don't want to give it Administrator permissions, only to create OU, users, and groups. The trouble is that Accounts Operator can't create OU, how can I add a group for this purpose? Or can I change the permissions of Accounts Operator group?

    The domain is made with Windows Server 2003.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

TF246017 Error when opening TFS Administration Console
Give permission to user ONLY to install applications
Active Directory Allow User to Install Only
"You don't have permission to copy files to this location over the network" error
GPO only works on authenticated users
List of computers with BitLocker recovery keys
Effective Permissions displays incorrect information
How do I grant local administrator rights, but not Domain Administrator Rights?
User's AD account deleted then recreated, now cannot access TFS
Active Directory roaming profile permission issue on folder C:\Users\<user>\AppData\Roaming\Microsoft\Installer