Setting Up a Local Administrator to Manage an OU

One of Active Directory's (AD's) many benefits is that it’s easy for the network administrator to set up an administrator to manage a specific organizational unit (OU). If you haven’t already organized your users into OUs, consider doing so to make your network more manageable. When a client company has multiple office locations, I typically set up an OU for each office. In general, I prefer an AD design that's broad and shallow as opposed to narrow and deep. An OU administrator will have all the rights that the Administrator has, except the OU administrator will have those rights only for the designated OU. Complete the following steps to create an OU administrator on your network.
1. Create the OU (if you haven’t already done so)—Click Start, Programs, Administrative Tools, Active Directory Users and Computers to open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the domain (or desired location) and select New, Organizational Unit. I suggest establishing a naming convention for your OUs and anything else you create in AD.
2. Move Users to the new OU—As you know, new users are created in the Users container by default. If you already have users created in the Users container, you can move any of these users to the new OU. To do so, simply right-click the user, select Move, then select the desired OU. You can move multiple users at the same time by using Ctrl+click to select the appropriate users, then drag the selected users into the desired OU.
3. Create an OU Administrator User—Start Active Directory Users and Computers. Create a new user in the desired OU, and assign a password.
4. Create an OU Administrators Group in the OU—After doing so, make the OU administrator a member of that group. This approach follows the best practice of assigning rights to a group rather than an individual, then making the user a member of the group. This setup makes future management of the network easier. For example, if you need to grant an existing user OU administrator rights, you can simply make the user a member of the OU Administrators Group, rather than assign the rights individually. If you have a software vendor that must have administrator rights to the OU, you can create a temporary account and password, then add the vendor's account to OU Administrators Group. After the vendor completes the software installation, you can delete the account. This strategy lets the vendor install the software without giving away any administrator passwords. To create the OU Administrators Group, right-click the OU and select New, Group. Make sure to add the user you created in Step 3 to the group you just created.
5. Delegate control of the OU—Start Active Directory Users and Computers. Right-click the desired OU and select Delegate Control. Add the group you created in step 4, and grant the group the appropriate rights for the OU.
6. Delegate control of the Exchange OU—If you're running Microsoft Exchange Server 2000 or later, start the Exchange System Manager (ESM). Open the desired Administrative Group, right-click the group you created in Step 4, and select Delegate Control. Select the desired level of control; typically I set the delegated rights to Exchange Administrator. This approach will let members in the group created in Step 4 act as an Exchange Administrator for users located in a specific Exchange Administrative Group.
7. Grant the Log on Locally right to the domain controller (DC)—This step is necessary if you want to let a user log on to a server acting as a DC. In Active Directory Users and Computers, right-click the Domain Controllers OU. Select Properties, Group Policy, then select the Default Domain Controllers Policy and click Edit. Select Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Log on Locally. Add the group you created in Step 4 to grant the Log on Locally right. Alternatively, you can install the Exchange System Administrator program (AdminPak.msi) on a workstation. To install the program, run setup from the Exchange Server 2003 or Exchange 2000 installation CD-ROM.
8. Refresh the machine policy—For Windows Server 2003 servers, open a command prompt and type


For Windows 2000 servers, type

secedit /refreshpolicy machine_policy

9. Grant Win2K Server Terminal Services rights—Are you running Terminal Services in remote administration mode? If you want the local administrator to have Terminal Services Administrator access, click Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click RDP-Tcp and select Properties. Click the Permissions tab and select the desired rights for the OU Administrators Group. Of course, you first must install the Terminal Services client on the workstation.

That’s it! After completing these steps, you’re well on your way to making your network easier to manage and more secure.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.