Skip to main content
IT Connect

Information technology tools and resources at the UW

Delegated OU Permissions

The permissions granted to departmental Windows administrators on delegated OUs is a complex and lengthy set of ACEs. These permissions change with each Windows Server release, because Microsoft adds new types of objects. Instead of exactly listing what those permissions are, instead this is a description of the recipe for granting them, which will likely give you a better picture of what those permissions are.

  1. Create delegation group
  2. On delegated OU, add Allow ‘Owner Rights’: Modify Owner, on all descendant objects
  3. On delegated OU, add Deny u_msinf_delou_<ou>_ouadmins: Write Property “Name”, on this object
  4. On delegated OU, add Allow u_msinf_delou_<ou>_ouadmins: ‘Modify permissions’ permission for ‘Descendant Computer objects’
  5. On delegated OU, add Allow u_msinf_delou_<ou>_computermanagers: ‘Full control’ permission, for ‘Descendant Computer objects’
    1. Remove the “All Extended Rights” permission
  6. On delegated OU, add Allow u_msinf_delou_<ou>_computerjoiners: ‘Create Computer objects’ permission for ‘This object and all descendant objects’
  7. On delegated OU, add Allow u_msinf_delou_<ou>_ouadmins: Full Control, for ‘this object and all child objects’, and remove the following permissions:
    • ‘Modify permissions’ permission
    • ‘Create/Delete contact objects’ permission
    • ‘Create/Delete Dell Association objects’ permission
    • ‘Create/Delete Dell Privilege objects’ permission
    • ‘Create/Delete Dell RAC Device objects’ permission
    • ‘Create/Delete dellProduct objects’ permission
    • ‘Create/Delete group objects’ permission
    • ‘Create/Delete InetOrgPerson objects’ permission
    • ‘Create/Delete msDS-ManagedServiceAccount objects’ permission
    • ‘Create/Delete msPKI-Key-Recovery-Agent objects’ permission
    • ‘Create/Delete msExchComputerPolicy objects’ permission (GUI/ClassDisplayName=’Computer Policy’)
    • ‘Create/Delete user objects’ permission
    • ‘All Extended Rights’
  8. On a machine with the LAPS cmdlets, run Set-AdmPwdReadPasswordPermission -Identity:<OU DN> -AllowedPrincipals: u_msinf_delou_<ou>_lapsreaders
  9. On delegated OU, grant u_msinf_delou_<ou>_bitlockerreaders the following rights:
    1. Read msTPM-OwnerInformation for Descendent Computer objects
    2. Read msFVE-KeyPackage, msFVE-RecoveryPassword for Descendent msFVE-RecoveryInformation objects
  10. Accept the ‘oh my gosh, you’ll create ~145 ACEs’ warning. The number here varies based on the Windows version.
  11. Accept the warning again.

In other words, you have full control of your OU, but are unable to:

  • create any object class which can contain a samAccountName attribute
  • unable to set permissions, except on computer objects
  • unable to rename your delegated OU without a request

This set of permissions is designed to maximize your abilities, while protecting the NETID domain.

We are happy to modify directory permissions within your OU on your behalf, but can’t delegate that ability without causing support problems. If you have a need to do any of the things not delegated above, please submit a help request and we’ll try our best to help.