September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
5.9. Delegating Control of an OU
Problem
You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU.
Solution
Using a graphical user interface
Open the Active Directory Users and Computers snap-in.
If you need to change domains, right-click on “Active Directory Users and Computers” in the left pane, select Connect to Domain, enter the domain name, and click OK.
In the left pane, browse to the target OU, right-click on it, and select Delegate Control.
Select the users and/or groups to delegate control to by using the Add button and click Next.
Select the type of privilege to grant the users/groups and click Next.
Click Finish.
Using a command-line interface
ACLs can be set via a command-line with the dsacls
utility from the Support Tools. See Recipe 14.10 for more information.
Discussion
Although you can delegate control of an OU to a particular user, it is generally a better practice to use a group instead. Even if there is only one user to delegate control to, you should create a group, add that user as a member, and use that group in the ACL. That way, in the future when you have to replace that user with someone else, you can make sure the new person is in the correct group instead of modifying ACLs again.
See Also
Recipe 14.10 for changing the ACL on an object