Hey everyone! I'm diving into Active Directory for the first time and I need some help with delegating rights properly. I currently have a bunch of organizational units (OUs) set up, like Domain Users and Domain Workstations, but I'm finding my permissions are too broad. I'd like to shift to a least-privilege model. I'm thinking of creating some specific delegation groups with focused permissions. Here's what I have in mind so far:
- **DLG-DomainUsersOU-ModifyAccess**: Modify user objects only (create, delete, edit attributes) for the Domain Users OU.
- **DLG-DomainWorkstationsOU-ModifyAccess**: Modify computer objects only for the Domain Workstations OU.
- **DLG-DomainUsersOU-AccountAccess**: Limited permissions for password resets and account unlocks in the Domain Users OU.
I'd love to hear your thoughts and any advice on potential issues I might run into!
3 Answers
Just to clarify, 'Full Control' is typically reserved for admins to modify permissions and delegate access, not for regular object management. When you're planning your delegation, it's essential to use specific permissions to avoid inadvertently granting too much power.
I found a great write-up on how to delegate OU permissions effectively—it really helped me clarify some of these issues! You might want to check it out [here](https://www.yster.org/2018/10/role-based-access-control).
Your plan looks solid! It really depends on how many teams need these permissions—if it's just for your helpdesk, those groups should cover most situations. Just a heads up, remember that adding users to groups in AD is a change on the group itself, so the team will need permissions to manage group memberships too. And be cautious with the 'protect this object from accidental deletion' option. While it’s a good practice to check that box, it can inadvertently add deny permissions that might block your delegated permissions from functioning correctly! You might want to adjust that setting on the parent OU for smooth sailing.
Hi,
I’m a bit confused about how to handle the accidental deletion protection. I set up a test OU with it checked, but I see deny permissions for EVERYONE on delete actions, and I can’t move any child objects. Could you elaborate on how your existing OUs handle this to get the delegation working?
Thanks for your input. Really appreciate it
Thanks! I read that, and it’s pretty informative!