Delegating Control of an OU in Active Directory – Part 2

In part 1, we used the Delegation of Control Wizard to allow our helpdesk_team group to change the password for the “IT_Services” OU, shown here below.

1 it_services

We had a delegation scenario where we wanted our helpdesk_team to reset passwords for everyone in “IT_Services” except “Network_Admins”. Having delegated the permission to the “IT_Services” OU, however, means the permission will be inherited by the sub-OUs including “Network_Admins” which is not what we want, of course.

In this post we will set an Explicit Deny permission on the “Network_Admins” OU to prevent the helpdesk_team group from being able to change the password for users in this OU.

Right-click on the Network_Admins OU and select Properties

1 right click network admins

2 properties security advanced

Go to the Security tab and click  on the Advanced button

3 find resource and edit

Find the group you want to deny the permission to (that’s the helpdesk_team in our example) and click on Edit

4 set deny permission

To deny the group the ability to change/reset passwords for this OU find “Change password” and “Reset password” entries and check the boxes under the Deny column.

5 deny precedence warning

You’ll get a warning to say Deny permissions take precedence over Allow permissions. Click on Yes if to continue.

With that Deny permission all set, anyone who is a member of the helpdesk_team group trying to reset the password a user account in the Network_Admins OU will get the following error:

6 reset password test access denied



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s