Skip to main content
IT Connect

Information technology tools and resources at the UW

Delegated OU role groups

Each delegated OU has a set of role groups which provide a consistent set of permissions within that delegated OU. This page describes those OU role groups.

Name GroupId Purpose
OU Admins u_msinf_delou_<delegatedOU>_ouadmins Administrators of this delegated OU
Group Policy Admins u_msinf_delou_<delegatedOU>_gpadmins Can create GPOs. Should be used to delegate management of GPOs created. OU admin is required to link any GPO.
Computer Joiners u_msinf_delou_<delegatedOU>_computerjoiners Can join a computer to the domain. Can create a computer object in this delegated OU.
OU Contacts u_msinf_delou_<delegatedOU>_oucontacts Individuals who should be contacted regarding this delegated OU. Not admin accounts.
DFS Admins u_msinf_delou_<delegatedOU>_dfsadmins Administrators of the DFS namespace associated with this delegated OU. Optional–only created when a DFS namespace is requested.
Computer Managers u_msinf_delou_<delegatedOU>_computermanagers Manage all computers in this delegated OU. Full permissions to computer objects.
LAPS Readers u_msinf_delou_<delegatedOU>_lapsreaders Can access the local admin password stored in AD for computers in this delegated OU, for those computers which have LAPS enabled.
Bitlocker Readers u_msinf_delou_<delegatedOU>_bitlockerreaders Can access the Bitlocker recovery key stored in AD for computers in this delegated OU, for those computers which have Bitlocker enabled.