Delegated OU Permissions

Last updated: January 30, 2023
Audience: IT Staff / Technical

The permissions granted to departmental Windows administrators on delegated OUs is a complex and lengthy set of ACEs. These permissions change with each Windows Server release, because Microsoft adds new types of objects. Instead of exactly listing what those permissions are, this is a description of the recipe for granting them, which will likely give you a better picture of what those permissions are.

  1. Create delegation group
  2. On delegated OU, add Allow ‘Owner Rights’: Modify Owner, on all descendant objects
  3. On delegated OU, add Deny u_msinf_delou_<ou>_ouadmins: Write Property “Name”, on this object
  4. On delegated OU, add Allow u_msinf_delou_<ou>_ouadmins: ‘Modify permissions’ permission for ‘Descendant Computer objects’
  5. On delegated OU, add Allow u_msinf_delou_<ou>_computermanagers: ‘Full control’ permission, for ‘Descendant Computer objects’
    1. Remove the “All Extended Rights” permission
  6. On delegated OU, add Allow u_msinf_delou_<ou>_computerjoiners: ‘Create Computer objects’ permission for ‘This object and all descendant objects’
  7. On delegated OU, add Allow u_msinf_delou_<ou>_ouadmins: Full Control, for ‘this object and all child objects’, and remove the following permissions:
    • ‘Modify permissions’ permission
    • ‘Create/Delete contact objects’ permission
    • ‘Create/Delete Dell Association objects’ permission
    • ‘Create/Delete Dell Privilege objects’ permission
    • ‘Create/Delete Dell RAC Device objects’ permission
    • ‘Create/Delete dellProduct objects’ permission
    • ‘Create/Delete group objects’ permission
    • ‘Create/Delete InetOrgPerson objects’ permission
    • ‘Create/Delete msDS-ManagedServiceAccount objects’ permission
    • ‘Create/Delete msPKI-Key-Recovery-Agent objects’ permission
    • ‘Create/Delete msExchComputerPolicy objects’ permission (GUI/ClassDisplayName=’Computer Policy’)
    • ‘Create/Delete user objects’ permission
    • ‘All Extended Rights’
  8. On Delegated OU, add Allow u_msinf_delou_<ou>_lapsreaders: Read Property “ms-Mcs-AdmPwdExpirationTime” for ‘Descendent Computer objects’ AND
    Allow u_msinf_delou_<ou>_lapsreaders: Read Property and Control Access “ms-Mcs-AdmPwd” for ‘Descendent Computer objects’

    1. One way to do this: On a machine with the LAPS cmdlets, run Set-AdmPwdReadPasswordPermission -Identity:<OU DN> -AllowedPrincipals: u_msinf_delou_<ou>_lapsreaders
    2. Another way: add Read property, then use with LDP.exe to add Control Access
  9. On delegated OU, grant u_msinf_delou_<ou>_bitlockerreaders the following rights:
    1. Read and Control Access on msTPM-OwnerInformation for Descendent Computer objects
    2. Read  and Control Access for Descendent msFVE-RecoveryInformation objects
      1. Note: Read does not equal Read All Properties. While Read All Properties will allow almost every tool to work fine, ADUC (for whatever reason) insists on having the full set of permissions included in Read, i.e. Read All Properties + List Contents + Read Permissions
  10. On delegated OU, grant u_msinf_delou_<ou>_ouadmins the following rights:
    1. Read and Control Access for Descendent msFVE-RecoveryInformation objects
  11. Accept the ‘oh my gosh, you’ll create ~145 ACEs’ warning. The number here varies based on the Windows version.
  12. Accept the warning again.

In other words, you have full control of your OU, but are unable to:

  • create any object class which can contain a samAccountName attribute
  • unable to set permissions, except on computer objects
  • unable to rename your delegated OU without a request

This set of permissions is designed to maximize your abilities, while protecting the NETID domain.

We are happy to modify directory permissions within your OU on your behalf, but can’t delegate that ability without causing support problems. If you have a need to do any of the things not delegated above, please submit a help request and we’ll try our best to help.