Using object ACLs
User or group access permissions to a shared folder are managed by the ACL. Similarly, we can define permissions to AD objects by using ACLs. This can be applied to individual objects or to the AD site/domain/Organizational Unit (OU), and then the same permissions can be forced onto lower-level objects.
As an example, I have a security group called First Line Engineers, and Liam is a member of this group. Liam is an engineer in the Europe office. In the AD environment, Liam should be allowed to add user objects under any sub-OU that is under the Europe OU. However, he should not be allowed to delete any objects that are under it. Let's see how we can do this using ACLs:
- Log in to the domain controller as a domain admin/enterprise admin.
- Review the group membership using the following command:
Get-ADGroupMember "First Line Engineers" - Go to Active Directory Users and Computers (ADUC), right-click on the
Europe...
