Change Default OU permissions in Active Directory

By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group). This allows all users of the domain to be able to view the contents of any OU in Active Directory using Active Directory Users and Computers snap-in. Accordingly, in order to hide the specific OU from  the users, it is necessary to edit security settings of the organizational unit manually each time. You can get rid of manual editing of OU permissions by changing the default properties of the Organizational Unit class.

Changing Default OU Permissions

In Active Directory you can change the properties of the object class by modifying the Active Directory schema. To do this, we need to install the snap-in «Active Directory Schema» (by default due to the security reasons, this snap-in is disabled on the domain controllers).

Several important notes.

  • When editing the Active Directory schema, you must be extremely careful, because of the changes may affect the entire forest.
  • To make changes to the schema, your account must be directly added to Schema Admins group (Enterprise and Domain administrators groups is not the same as a Schema Admins group).

schema admins properties group

At first, open an elevated Command prompt on domain controller and register dynamic library schmmgmt.dll, which is needed to run the snap-in:

regsvr32 schmmgmt.dll

Then open the mmc console and go to File -> Add / Remove Snap-in.

READ ALSO  How to Disable Active Directory Account Using PowerShell?

add remove snap ins

In the list of available snap-ins, select Active Directory Schema, add it to the console by pressing the Add and OK.

active directory schema

The Schema snap-in Active Directory allows you to edit all existing classes and attributes of Active Directory.

Expand the Active Directory Schema (Dcname1) and go to Classes section. In the class list, locate the class organizationalUnit, right-click on it and select Properties.

active directory organizational unit

In the class property page open the tab «Default Security». This tab contains the default permissions for new OU in Active Directory. You can simply remove the Read permission for group  Authenticated Users, or using the button «Advanced», which switch you to the advanced settings.

active directory ou properties

If you select the Advanced Security Settings, in the list of OU permissions select the Authenticated Users group and click Edit.

ou security

In the new opened window we specify the desired OU permissions. For example, we want to remove the permission List Object, but  leave the permissions to Read all properties for all objects in OU.

ou permissions

Save the changes by pressing OK button 3x times and close the snap-in. To apply the changes in AD  you need to wait some time to replicate schema changes on all DCs in your forest.

READ ALSO  Fix Trust relationship Failed Issue Without Domain Rejoining

After that, when you create a new Organization Unit in Active Directory, by default, domain users will not be able to view list of objects it contains.

This settings will be applied only to all newly created OU, for an existing OU permissions it will not be changed.

Cyril Kardashevsky

2 comments

  1. I am sorry for that question, but I need really help.

    We was trying to avoid, that some users can see objects in the active directory.
    (Properties | Security Tab)

    Something we did wrong and now the AD is no more available and if open “ACTIVE DIRECTORY USERS AND COMPUTERS” I become a message, that the “the specified directory service attribute or value does not exist” and there is nothing to display in my AD structure…

    Can someone help me please ?
    Tanks in advance

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.