Search | Directories | Reference Tools
UW Windows Infrastructure Service banner image
Skip Navigation LinksUW Home > Computing and Networking > Support > UW Domains > UW Windows Infrastructure > Delegated Permissions

UW Windows Infrastructure Delegated OU Permissions

The permissions granted to departmental Windows administrators on delegated OUs is a complex and lengthy set of ACEs. Instead of exactly listing what those permissions are, instead this is a description of the recipe for granting them, which will likely give you a better picture of what those permissions are.

  • Create delegation group
  • On delegated OU, add full control ACE for delegation group, for 'this object and all child objects'
  • Remove 'modify permissions' permission
  • Remove 'Create user objects' permission
  • Remove 'Create group objects' permission
  • Remove 'Create contact objects' permission
  • Accept the 'oh my gosh, you'll create 87 ACEs' warning.
  • Accept the warning again.

    • In other words, you have full control of your OU, but are unable to create users, groups, or contacts, and are unable to set permissions. This set of permissions is designed to maximize your abilities, while protecting UWWI.