This article demonstrates an example on how to provide a User or Group Full Permissions to a specific OU along with Read Permissions over the rest of the managed Domain.
The prerequisites and steps for this scenario:
1- Create a security group SEC_HelpdeskL2 and add your test user as a member
2- Create an OU called Test01 in Active Roles
3- Create two access templates like the followings:
- ReadOnly_Testlab.abc_Domain (replace with your domain)
4- Open Access Template Read&Write_Test01_OU assign the following Permissions as shown:
5- Open Access Template ReadOnly_Testlab.abc_Domain assign the following Permissions as shown:
6- Go to Test01 in Active Roles right click and select Delegate Control
7- Click Add and go thru the Wizard then Add our existing SEC_HelpdeskL2 under Selected users and groups:
8- In next window under Access Templates look up for our existing access template Read&Write_Test01_OU click Checkbox then Next and Finish
9- Go to domain level testlab.abc as an example then right click and Delegate Control
10- Follow steps 7 & 8 except for access template choose our existing access template ReadOnly_Testlab.abc_Domain click Checkbox then Next and Finish the final Access Template links and their Trustee on over all domain should look like the following:
Now any user in SEC_HelpdeskL2 have read/write access over OU Test01 but read only access over testlab.abc assuming your domain.