Delegating Control of an OU

Delegating Control of an OU


You want to delegate administrative access of an OU to allow a group of users to manage objects in the OU.


Using a graphical user interface
  1. Open the ADUC snap-in.

  2. If you need to change domains, right-click on "Active Directory Users and Computers" in the left pane, select Connect to Domain, enter the domain name, and click OK.

  3. In the left pane, browse to and select the target OU, and then select Delegate Control.

  4. Select the users and/or groups to delegate control to by using the Add button, and then click Next.

  5. Select the type of privilege to grant to the users or groups you selected in Step 4, and then click Next.

  6. Click Finish.

Using a command-line interface

ACLs can be set via a command-line with the dsacls utility from the Support Tools. See Recipe 15.14 for more information.


Although you can delegate control of an OU to a particular user, it is almost universally a better practice to use a group instead. Even if there is only one user to delegate control to, you should create a group, add that user as a member, and use that group in the ACL. That way in the future when you have to replace that user with someone else, you can simply make sure the new person is in the correct group instead of modifying ACLs again. The Delegation of Control wizard is discussed further in Recipe 15.7.

See Also

Recipe 15.14 for changing the ACL on an object and Recipe 15.7

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows