AD domain based on Windows 2008 Standard Server. 10 OU's created to reflect geographical structure of the organistation. At the moment all IT Admin staff (20 people) are member of Domain Admins group and consequently have a lot more rights than they need. I'd like to only give an IT admin staff member rights to the OU that he/she is responsible for. What is the best approach to achieve this?thanks in advance.paddy ryan

1. Remove the IT Admins from Domain Admins.2. Create a group for each OU. These groups will hold the admins for each specific OU.3. Add the IT Admins to the correct group.4. Right-click each OU and run the Delegation of Control Wizard.5. In the wizard, assign the corresponding group the rights and permissions you want them to have.Paul Adare CTO IdentIT Inc. ILM MVP

paul, should the group, that will contain the IT Admin accounts, be created within the OU that i want the IT admins to adminster, or elsewhere in the OU structure?thanks.paddy ryan

For security purposes, you probably only want Domain Admins to be able to manage the OU-specific groups so you probably don't want them in the OUs that the group is going to be managing.Paul Adare CTO IdentIT Inc. ILM MVP

good point. one other question; how do i change delegation of an OU once it has been delegated?i following your steps re your original reply to my post but now i can seem to make changes to the "common tasks" that i delegated ?thanks,paddy ryan

I don't know exactly what you're getting at here or what you're trying to do, but the easiest way to set the permissions back to the way they were before you ran the wizard is to log on as a Domain Admin, go to the Security tab in the Properties dialog for the OU and simply remove the group that was added by the Delegation of Control wizard.Paul Adare CTO IdentIT Inc. ILM MVP

yes this is what i'm looking for. i've one more question. Can I set it up so that only the OU's that have been delegated control be visible to the IT admins using AD Users and Computers?the OU's that they do not have control over should not be visible. is this possible?thanks for all your responses. much appreciated. paddy ryan

No, not possible.Paul Adare CTO IdentIT Inc. ILM MVP