Announcement

Collapse
No announcement yet.

Restricting to Particular OU

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricting to Particular OU

    Hi every1 there...

    Ihave single domain active directory setup, For branch office ihave OU which contains user accounts and computers. System Admin who has rights over this OU to manage user accounts and client machines. As ihave seen ican restrict the System Admin from accessing snap-in Administrative tools like DNS, Active Directory Sites and Services etc through Group Policy. But my concern is when he is accessing Active Directory users and computers to manage his OU, he is able to view other OU's objects or Members in group. How do restrict him to ONLY to his OU.

    Thanx in advance

    Khan

  • #2
    Re: Restricting to Particular OU

    Well, this is a though one and not very easy to achieve IMO.
    Theoreticaly,In order to do that you've got to deal with striping the default read permissions for certain security principals (i.e Authenticated users group ) and then reassigning permissions based on your delegation structure.
    But since I haven't tried this in practice I am not quite sure if it'll work and what other consequences will have.

    Practically, I'd say not to mess with default AD permissions.
    If you have followed good Delegation procedures I wouldn't worry about it.
    Alternatively, you can choose different Child domains to further isolate AD resources.
    Caesar's cipher - 3

    ZKHQ BRX HYHQWXDOOB GHFLSKHU WKLV BRX ZLOO UHDOLVH LW ZDV D ZDVWH RI WLPH!

    SFX JNRS FC U6 MNGR

    Comment

    Working...
    X