How to Delegate Control Over Specific AD Computer Objects Without Inheritance Issues

Researcher 6 Reputation points
2024-10-16T09:36:09.1933333+00:00

Hello everyone,

I'm currently managing a situation where I need to delegate control to allow a group of users to delete/add specific computer objects in Active Directory (AD) under the default Computers container. Here’s what I’ve done so far:

  1. I used Delegate Control on the Computers container to allow a group of users to delete/add computer objects.
  2. However, I’ve noticed that this permission gets inherited by all computer objects under that container, which is not ideal for my scenario.

My objective is to restrict deletion of only specific computer objects under the Computers container for permitted users. I don't want permitted users to have the ability to delete server computers that are also located in the same container. For management reasons , I do not wish to create new OUs and move specific computers there to delegate permissions more granularly.

Here are my questions:

a) Is there a way to delegate control to groups instead of relying solely on OUs for permission delegation?

b) How can I explicitly deny permission to delete certain computer objects while allowing deletion for others, all within the same Computers container?

c) Is there a workaround that allows me to selectively apply permissions without inheritance affecting all objects in the container?

NOTE : I am currently using Windows Server 2012 R2.

I appreciate any guidance or solutions you can provide.
Thank you!

Windows Server 2012
Windows Server 2012
A Microsoft server operating system that supports enterprise-level management, data storage, applications, and communications.
1,599 questions
Windows Server
Windows Server
A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.
13,226 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,638 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Clément BETACORNE 2,341 Reputation points
    2024-10-17T08:19:17.5633333+00:00

    Hello,

    Technically you can do it but from a management perspective it will be a nightmare. You will have to through all computer objects and set the permission directly on them by right clicking on the computer object or via PowerShell but it will require more efforts. The easiest way is via delegation on OU

    To answer your question :

    a) --> Yes you can delegate it to a group but you have to set it on the computer object you want

    b) --> Yes you can explicitly deny it directly on the computer object

    c) --> Yes you have to do it directly on the computer objects within the computers container

    Regards,

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.