I am trying to delegate permission for users to create an OU in active directory, strictly as an option to organize and sort objects under the delegated OU. However, once I give the permission, the user can change the security rules on the new OU he created and gain full control permissions, subsequently allowing himself to create new user accounts and etc.
Is there a way to prevent such a security breach?
Best Answer
It sounds like you over-delegated access. You need to grant the Allow: "Create Organizational Units" permission, scoped to "Descendant Organizational Units" in order to achieve this. Some screenshots below:
The scope (or "applies to") that needs to be selected:
The permission that needs to be selected:
This is what the ACE will look like when completed:
-- This will not allow the delegate to actually change/rename any OUs (in the event of a typo). This will strictly allow the delegate to create Organizational Units.