Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Assign permissions to manage OU
Assign permissions to manage OU [message #335275] Fri, 04 December 2009 10:31 Go to next message
JT  is currently offline JT
Messages: 35
Registered: October 2009
Member
I am having problems getting permissions to propagate to all objects within
an Active Directory OU. We are using Win 2003 domain controllers.
I have an Object named workstations. I would like to give a global security
group access to manage the workstations OU. The group needs to be able to
add/remove computers, add GPOs, etc.

At the Workstation OU I have used the Security tab to give the group
Read, Write, create all child objects, delete all child objects, etc. Under
the Advanced tab the box is checked to allow inheritable permissions to all
child objects. All child objects are set to inherit permissions from parent.


None of the child objects show the correct permissions for this group.

How do I get an Active directory OU object to allow permissions to propagate
to child objects? I don't want this group to have full control to the OU,
but I would like to have them able to manage everything in the OU.

thanks in advance.

JT
Re: Assign permissions to manage OU [message #335327 is a reply to message #335275] Fri, 04 December 2009 11:54 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"JT" <JT@discussions.microsoft.com> wrote in message
news:38BE1D83-6586-4DC9-A25C-EA7931FDD104@microsoft.com...
>I am having problems getting permissions to propagate to all objects within
> an Active Directory OU. We are using Win 2003 domain controllers.
> I have an Object named workstations. I would like to give a global
> security
> group access to manage the workstations OU. The group needs to be able to
> add/remove computers, add GPOs, etc.
>
> At the Workstation OU I have used the Security tab to give the group
> Read, Write, create all child objects, delete all child objects, etc.
> Under
> the Advanced tab the box is checked to allow inheritable permissions to
> all
> child objects. All child objects are set to inherit permissions from
> parent.
>
>
> None of the child objects show the correct permissions for this group.
>
> How do I get an Active directory OU object to allow permissions to
> propagate
> to child objects? I don't want this group to have full control to the OU,
> but I would like to have them able to manage everything in the OU.
>
> thanks in advance.
>
> JT
>


You should really use the Delegation Wizard and not do it manually.

Hopefully these will help you:

Creating OUs to Delegate AdministrationTo delegate administration, grant a
group specific rights over an OU. To do this, you need to modify the access
control list (ACL) of the OU. ...
http://technet.microsoft.com/en-us/library/cc960527.aspx

Delegating Administration by Using OU Objects: Domain Name System ...Mar 28,
2003 ... You can use organizational units to delegate the administration of
objects, such as users or computers, within the OU to a designated ...
http://technet.microsoft.com/en-us/library/cc780779(WS.10).aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Assign permissions to manage OU [message #337237 is a reply to message #335275] Mon, 07 December 2009 06:31 Go to previous message
pbbergs  is currently offline pbbergs  United States
Messages: 1024
Registered: July 2009
Senior Member
I'm with Ace, just use the delegation of authority wizard.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JT" <JT@discussions.microsoft.com> wrote in message
news:38BE1D83-6586-4DC9-A25C-EA7931FDD104@microsoft.com...
>I am having problems getting permissions to propagate to all objects within
> an Active Directory OU. We are using Win 2003 domain controllers.
> I have an Object named workstations. I would like to give a global
> security
> group access to manage the workstations OU. The group needs to be able to
> add/remove computers, add GPOs, etc.
>
> At the Workstation OU I have used the Security tab to give the group
> Read, Write, create all child objects, delete all child objects, etc.
> Under
> the Advanced tab the box is checked to allow inheritable permissions to
> all
> child objects. All child objects are set to inherit permissions from
> parent.
>
>
> None of the child objects show the correct permissions for this group.
>
> How do I get an Active directory OU object to allow permissions to
> propagate
> to child objects? I don't want this group to have full control to the OU,
> but I would like to have them able to manage everything in the OU.
>
> thanks in advance.
>
> JT
>
Previous Topic:dcpromo- select source DC?
Next Topic:DC failure/restoration issues
Goto Forum:
  


Current Time: Thu Jan 18 20:51:22 MST 2018

Total time taken to generate the page: 0.03268 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software