You want to delegate control of an OU to an administrative group in Active Directory.
This can be done using Active Directory Users and Computers (ADUC) and a target AD user or group.
- Log into a DC.
- Start ADUC.
- Navigate to the OU in question.
- Right-click the OU and click on Delete Control.
- The Delegation of Control Wizard will launch. Click Next.
- Select the users and groups you wish to have control. Generally, you will choose an AD group here. Delegating permissions to a User is painful long-term because you’ll have to re-run this wizard for every change in who will manage this process, while using an AD group means you only need to change the AD group itself. Click Add.
- For our example, we’ll use the AD group “Japan OU Managers”. Your AD group will differ, but it’s always wise to create a specific AD group for this unless there is a good reason to do otherwise. Click Ok.
- The wizard will find the group. Click Next.
- You can now choose what rights the delegation will provide to the target Japan OU Managers group. For our example, we’ll allow members of Japan OU Managers to create new accounts under the Japan OU and to reset password. Click Next.
- We’re all done. Click Finish.