none
Active Directory OU Security TAB (best practice)

    Question

  • Okay I'm not a beginner to Active Directory, but it isn't my specialty.  I've had this AD for a long time and I never really took at a look at OU Security until I had an issue related to it.  Then I saw the mess that my OU Security was.  This AD has been upgraded and migrated since windows 2000 and there is a lot of legacy and weird security entries in the OU's that was causing a while wack of issues.

    My question is, if I want to clean this up what is the best practices for OU security? I tried to look this up, but it seems like 99% of people never even look at this.

    Would love to hear what people have to say

    Friday, January 13, 2017 4:31 PM

All replies

  • This sounds more like AD maintenance than security. Or are you referring to OU security group cleanup?

    Giving us an example of the issue you see and your ideas on fixing it would help.

    Friday, January 13, 2017 4:52 PM
  • The best practices would be to keep only the needed permissions. I would advise that you create a new test domain and you compare the default permissions with what you have now. That will allow you to see what are the differences so that you can start planning on what are the changes that are needed. If accounts have been delegated permissions, it should be for some operational reasons or to make an application work. It would be tricky to understand the reason behind the delegation but you need to identify the requirements, identify the default permissions, identify the gap then decide on what needs to be kept / removed.

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Sunday, January 15, 2017 11:56 PM
  • Hi,
    Alternatively, if you could make sure that default permission on the OU is fine for your environment, you could restore or reset the default permission for the OU, in this case, you could refer to the following articles regarding this action:
    Restore Default Permissions on Active Directory Organizational Units (OU)
    https://social.technet.microsoft.com/wiki/contents/articles/18726.restore-default-permissions-on-active-directory-organizational-units-ou.aspx
    How can I reset the default permissions on an Active Directory (AD) object?
    http://windowsitpro.com/security/q-how-can-i-reset-default-permissions-active-directory-ad-object
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 8:16 AM
    Moderator
  • Hi,

    I am checking how the issue going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, January 20, 2017 9:31 AM
    Moderator