Assign permissions to manage OU

I am having problems getting permissions to propagate to all objects within
an Active Directory OU. We are using Win 2003 domain controllers.
I have an Object named workstations. I would like to give a global security
group access to manage the workstations OU. The group needs to be able to
add/remove computers, add GPOs, etc.

At the Workstation OU I have used the Security tab to give the group
Read, Write, create all child objects, delete all child objects, etc. Under
the Advanced tab the box is checked to allow inheritable permissions to all
child objects. All child objects are set to inherit permissions from parent.


None of the child objects show the correct permissions for this group.

How do I get an Active directory OU object to allow permissions to propagate
to child objects? I don't want this group to have full control to the OU,
but I would like to have them able to manage everything in the OU.

thanks in advance.

JT

"JT" <> wrote in message
news:38BE1D83-6586-4DC9-A25C-...
>I am having problems getting permissions to propagate to all objects within
> an Active Directory OU. We are using Win 2003 domain controllers.
> I have an Object named workstations. I would like to give a global
> security
> group access to manage the workstations OU. The group needs to be able to
> add/remove computers, add GPOs, etc.
>
> At the Workstation OU I have used the Security tab to give the group
> Read, Write, create all child objects, delete all child objects, etc.
> Under
> the Advanced tab the box is checked to allow inheritable permissions to
> all
> child objects. All child objects are set to inherit permissions from
> parent.
>
>
> None of the child objects show the correct permissions for this group.
>
> How do I get an Active directory OU object to allow permissions to
> propagate
> to child objects? I don't want this group to have full control to the OU,
> but I would like to have them able to manage everything in the OU.
>
> thanks in advance.
>
> JT
>


You should really use the Delegation Wizard and not do it manually.

Hopefully these will help you:

Creating OUs to Delegate AdministrationTo delegate administration, grant a
group specific rights over an OU. To do this, you need to modify the access
control list (ACL) of the OU. ...
http://technet.microsoft.com/en-us/l.../cc960527.aspx

Delegating Administration by Using OU Objects: Domain Name System ...Mar 28,
2003 ... You can use organizational units to delegate the administration of
objects, such as users or computers, within the OU to a designated ...
http://technet.microsoft.com/en-us/l...79(WS.10).aspx

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA
2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

I'm with Ace, just use the delegation of authority wizard.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"JT" <> wrote in message
news:38BE1D83-6586-4DC9-A25C-...
>I am having problems getting permissions to propagate to all objects within
> an Active Directory OU. We are using Win 2003 domain controllers.
> I have an Object named workstations. I would like to give a global
> security
> group access to manage the workstations OU. The group needs to be able to
> add/remove computers, add GPOs, etc.
>
> At the Workstation OU I have used the Security tab to give the group
> Read, Write, create all child objects, delete all child objects, etc.
> Under
> the Advanced tab the box is checked to allow inheritable permissions to
> all
> child objects. All child objects are set to inherit permissions from
> parent.
>
>
> None of the child objects show the correct permissions for this group.
>
> How do I get an Active directory OU object to allow permissions to
> propagate
> to child objects? I don't want this group to have full control to the OU,
> but I would like to have them able to manage everything in the OU.
>
> thanks in advance.
>
> JT
>