In part 1, we used the Delegation of Control Wizard to allow our helpdesk_team group to change the password for the “IT_Services” OU, shown here below.
We had a delegation scenario where we wanted our helpdesk_team to reset passwords for everyone in “IT_Services” except “Network_Admins”. Having delegated the permission to the “IT_Services” OU, however, means the permission will be inherited by the sub-OUs including “Network_Admins” which is not what we want, of course.
In this post we will set an Explicit Deny permission on the “Network_Admins” OU to prevent the helpdesk_team group from being able to change the password for users in this OU.
Right-click on the Network_Admins OU and select Properties
Go to the Security tab and click on the Advanced button
Find the group you want to deny the permission to (that’s the helpdesk_team in our example) and click on Edit
To deny the group the ability to change/reset passwords for this OU find “Change password” and “Reset password” entries and check the boxes under the Deny column.
You’ll get a warning to say Deny permissions take precedence over Allow permissions. Click on Yes if to continue.
With that Deny permission all set, anyone who is a member of the helpdesk_team group trying to reset the password a user account in the Network_Admins OU will get the following error: