'OUs Full Control' access template also grants full permissions to create other objects (users, groups…) (4281883)

You may have noticed that 'OUs   Full Control' access template also grants full permissions to create other objects (users, groups…), instead of OU containers only.

The 'OUs   Full Control' access template’s description is misleading, as it states only OU objects/containers are to be managed.

This is by design. Active Roles by default grants ‘Full Control’ (Generic All) on root as well as descendant level objects. ‘Full Control’ by default (natively as well) involves creation of all child objects (user, groups, OUs etc.) and it exposes this via ADUC object creation menu (right-click).

An enhancement request (TF00712820) has been created detailing the feature ("OUs - Full Control" AT to be revisited to vet ambiguity). The product team will evaluate the request and this may be corrected on a future release of the product.

STATUS

The product team will evaluate the request and this feature may become available on a future release of the product.

Please refer to this article for updates or contact support referencing the Enhancement Request ID: TF00712820.