active directory

Change Default OU permissions in Active Directory


By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group). This allows all users of the domain to be able to view the contents of any OU in Active Directory using Active Directory Users and Computers snap-in. Accordingly, in order to hide the specific OU from  the users, it is necessary to edit security settings of the organizational unit manually each time. You can get rid of manual editing of OU permissions by changing the default properties of the Organizational Unit class.

Changing Default OU permissions

In Active Directory you can change the properties of the object class by modifying the Active Directory schema. To do this, we need to install the snap-in «Active Directory Schema» (by default due to the security reasons, this snap-in is disabled on the domain controllers).

Several important notes.

  • When editing the Active Directory schema, you must be extremely careful, because of the changes may affect the entire forest.
  • To make changes to the schema, your account must be directly added to Schema Admins group (Enterprise and Domain administrators groups is not the same as a Schema Admins group).

schema admins properties group

At first, open an elevated Command prompt on domain controller and register dynamic library schmmgmt.dll, which is needed to run the snap-in:

regsvr32 schmmgmt.dll

Then open the mmc console and go to File -> Add / Remove Snap-in.

READ ALSO  How to hide specific OU in Active Directory

add remove snap ins

In the list of available snap-ins, select Active Directory Schema, add it to the console by pressing the Add and OK.

active directory schema

The Schema snap-in Active Directory allows you to edit all existing classes and attributes of Active Directory.

Expand the Active Directory Schema (Dcname1) and go to Classes section. In the class list, locate the class organizationalUnit, right-click on it and select Properties.

active directory organizational unit

In the class property page open the tab «Default Security». This tab contains the default permissions for new OU in Active Directory. You can simply remove the Read permission for group  Authenticated Users, or using the button «Advanced», which switch you to the advanced settings.

active directory ou properties

If you select the Advanced Security Settings, in the list of OU permissions select the Authenticated Users group and click Edit.

ou security

In the new opened window we specify the desired OU permissions. For example, we want to remove the permission List Object, but  leave the permissions to Read all properties for all objects in OU.

ou permissions

Save the changes by pressing OK button 3x times and close the snap-in. To apply the changes in AD  you need to wait some time to replicate schema changes on all DCs in your forest.

After that, when you create a new Organization Unit in Active Directory, by default, domain users will not be able to view list of objects it contains.

READ ALSO  Configure Active Directory to Store BitLocker Recovery Keys

This settings will be applied only to all newly created OU, for an existing OU permissions it will not be changed.


You may also like:

Active Directory auditing: No simple road to succe... Auditing Active Directory almost always finds place at the top of the administrator’s to-do list. There are a number of pressing needs that make audit...
How to hide specific OU in Active Directory The first thing you see while opening Active Directory Users and Computers (ADUC) snap-in is AD containers (Organization Unit, OU), in which user acco...
Join Domain and Login over a VPN Connection This is a short tutorial on how to join a computer to a domain over a VPN connection. This was very useful for us this weekend. We had to reformat a c...
Fix Trust relationship failed issue without domain... In this article we will discuss the causes of "Trust relationship failed ..." error and some solutions on how to restore secure channel between workst...
Active Directory Database File Compaction and Defr... Active Directory is a non-relational database and its size increasing over time, the database takes more and more disk space. If you remove the object...