No announcement yet.

Locking down OU delegation (Was: Active Directory)

  • Filter
  • Time
  • Show
Clear All
new posts

  • Locking down OU delegation (Was: Active Directory)

    A little backgound on our domain setup. Company has multiple locations thruout the world. For the most part, each location as a specific OU. Within each OU is a Computers contaier/OU, a server container, User OU, etc. At each site, we have a locat IT Support person. We have delegated the user rights to manage this OU (the location OU and child OUs underneath). Also, off of the root of the domain we have a NEWCOMPUTERS OU. This OU is where new computer accounts get created when introduced to the domain. We have GPO that applies to these computers that essentinally locks these computers down until they are moved to the appropriate OU. We would liek to lock the OUs down even further. Currently the local IT support individuals have full controll over their specific OU. What we would like is as follows:

    1.) local IT to introduce new computers to domain
    2.) Create User ID and group within their specific OU
    3). Move computers out of the NEWCOMPUTERS Ou into their specific location
    4.) Delete User accounts and Computer accounts
    5.) Reset passwords
    6.) Move AD objects around within their specifi OU.

    One thing I specifically do not want them doing is to be able to copy accounts. I want all accounts to be created from scratch. How can I prevent them from copying accounts?

    So in order to obtain this, what delegations would I need to implement?

  • #2
    Re: Active Directory

    Moved to AD forum for better response

    What is your domain and forest FL?
    What OS are the new computers?
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Locking down OU delegation (Was: Active Directory)

      Functional Level is 2008. Most OS are XP and a few Windows 7.


      • #4
        Re: Locking down OU delegation (Was: Active Directory)


        Will your admin be logging on to the server or would be doing via RSAT on WIN7 machines.
        Thanks & Regards

        MCTS 2008, MCTIP, MCSE 2003, MCSA+Messaging E2K3, MCP, E2K7
        Sr. Wintel Eng. (Investment Bank)
        Independent IT Consultant and Architect

        Show your appreciation for my help by giving reputation points