Caponato's Notebook

User Tools

Site Tools

samba:setmachineaccount

Delegating permissions to manage (add/remove) computers in specific organizational units (OUs) in Active Directory

In environments where you want specific users or groups to manage computer objects (including adding or removing computers) within certain Organizational Units (OUs) without giving them full domain-wide administrative rights, you can delegate control using the Active Directory Users and Computers (ADUC) tool. This delegation allows you to assign granular permissions, such as the ability to delete computer objects, to specific users or groups.

  • Open Active Directory Users and Computers (ADUC):

Open ADUC by typing `dsa.msc` in the Run dialog box (Windows + R).

  • Enable advanced features:

In ADUC, go to the top menu and click on View, then select Advanced Features. This will enable additional features such as the Security tab for objects.

  • Navigate to the target OU:

Browse to the Organizational Unit (OU) where you want to delegate permissions. Right-click the OU and select Properties.

  • Access the Security tab:

In the Properties window of the OU, go to the Security tab (this tab appears after enabling Advanced Features). Click on Advanced to manage detailed permissions.

  • Add the user or group:

In the Advanced Security Settings window, click Add to add the user or group to whom you want to delegate control. Enter the name of the user or group, then click OK.

  • Specify permissions:

After adding the user or group, you will be asked to specify the permissions. In the Permission Entry window, next to Applies to, select This object and all descendant objects if you want the permissions to apply to the OU and its contents (such as computer objects within the OU).

  • Choose permissions for computer objects:

Scroll down in the list of permissions to find Create Computer objects and Delete Computer objects.

Make sure to check both if you want to allow the user to add and remove computer objects.

  1. Create Computer objects: Allows the user or group to add new computer objects in the specified OU.
  2. Delete Computer objects: Allows the user or group to delete (remove) computer objects from the specified OU.

You may also want to add Read and Write permissions on computer objects, depending on the level of control you want to delegate.

  • Apply changes:

Once you’ve selected the appropriate permissions, click OK to apply the changes. Click Apply and then OK to close the security settings.

Caponato's Samba notebook. Start here or return to Main menu.

samba/setmachineaccount.txt · Last modified: by caponato