active directory

Change Default OU permissions in Active Directory

By default, each newly created organizational unit (OU) in the access list includes read permission for the group Authenticated Users (built-in group). This allows all users of the domain to be able to view the contents of any OU in Active Directory using Active Directory Users and Computers snap-in. Accordingly, in order to hide the specific OU from  the users, it is necessary to edit security settings of the organizational unit manually each time. You can get rid of manual editing of OU permissions by changing the default properties of the Organizational Unit class.

Changing Default OU Permissions

In Active Directory you can change the properties of the object class by modifying the Active Directory schema. To do this, we need to install the snap-in «Active Directory Schema» (by default due to the security reasons, this snap-in is disabled on the domain controllers).

Several important notes.

  • When editing the Active Directory schema, you must be extremely careful, because of the changes may affect the entire forest.
  • To make changes to the schema, your account must be directly added to Schema Admins group (Enterprise and Domain administrators groups is not the same as a Schema Admins group).

schema admins properties group

At first, open an elevated Command prompt on domain controller and register dynamic library schmmgmt.dll, which is needed to run the snap-in:

regsvr32 schmmgmt.dll

Then open the mmc console and go to File -> Add / Remove Snap-in.

add remove snap ins

In the list of available snap-ins, select Active Directory Schema, add it to the console by pressing the Add and OK.

active directory schema

The Schema snap-in Active Directory allows you to edit all existing classes and attributes of Active Directory.

Expand the Active Directory Schema (Dcname1) and go to Classes section. In the class list, locate the class organizationalUnit, right-click on it and select Properties.

active directory organizational unit

In the class property page open the tab «Default Security». This tab contains the default permissions for new OU in Active Directory. You can simply remove the Read permission for group  Authenticated Users, or using the button «Advanced», which switch you to the advanced settings.

active directory ou properties

If you select the Advanced Security Settings, in the list of OU permissions select the Authenticated Users group and click Edit.

ou security

In the new opened window we specify the desired OU permissions. For example, we want to remove the permission List Object, but  leave the permissions to Read all properties for all objects in OU.

ou permissions

Save the changes by pressing OK button 3x times and close the snap-in. To apply the changes in AD  you need to wait some time to replicate schema changes on all DCs in your forest.

After that, when you create a new Organization Unit in Active Directory, by default, domain users will not be able to view list of objects it contains.

This settings will be applied only to all newly created OU, for an existing OU permissions it will not be changed.

You may also like:

Installing Active Directory Users and Computers MM... One of the main Active Directory domain management tools is the MMC snap-in Active Directory Users and Computers (ADUC). The ADUC snap-in is used to p...
AD Account Keeps Locking Out Sometimes there are situations when AD account keeps locking out, this happen when you try to log on to a domain computer and getting an error on the ...
Store BitLocker Recovery Keys using Active Directo... In a domain network, you can store the BitLocker recovery keys for encrypted drives in the Active Directory Domain Services (AD DS). This is one of th...
How to transfer FSMO Roles From a Failed Domain Co... In case domain controller, which owns FSMO (Flexible Single Master Operation) roles, is fail (virus attack, fatal software problems or catastrophic ha...
Fix Trust relationship failed issue without domain... In this article, we will discuss the causes of Trust relationship failed error and some solutions on how to restore secure channel between the worksta...
  1. Posted by Susie Logan
  2. Posted by Pedro Sousa

Add Your Comment