This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
So I have a task of restricting Exchange Administrators access to certain OUs. We have a Forest and the accounts reside in a sub domain to the forest root. In sub domains Admins have full control. In the Forest Root they need access to create contacts only.
For the Exchange settings they have the permissions needed to create all their tasks in the sub domain but it means they have the permissions in the root domain as well since we use the Exchange Groups built in.
Using AD Delegation I've Denied User Objects Full Control access for the Domain and it doesn't appear to block account creation. If I deny read access to an OU they can't see it.
How would I go about restricting User account creation? What am I missing?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 16%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EHX%3C/text%3E%3C/svg%3E)
Hello,
I am checking how the issue is going, if you still have any questions, please feel free to contact us.
Thank you so much for your time and support.
Best regards,
Hannah Xiong
Hello,
Does this question have any update or has this issue been solved? Also, for the question, is there any other assistance we could provide?
Besides, there is email notifications function on this forum. It is suggested that we could set it up so that we could receive prompts for responses in time.
https://learn.microsoft.com/en-us/answers/articles/67444/email-notifications.html
Thank you so much for your time and support.
Best regards,
Hannah Xiong
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
Did you try create a group in root domain , set delegation for this group then add admin account from child domain?
The group scope in root domain must be local to accept members from another domain.
Please if this reply help you to fix your issue mark it as answer
Hello,
Thank you so much for posting here.
We mainly focus on the AD issue since we are not professional with exchange issue. In AD, if we would like to restrict user account creation for certain user, we could try the below.
1, Create the new OU and then add the specific user accounts to the OU.
2, Right click the OU and choose "Properties", then choose "Security" tab.
3, Select Advances button. For example:
4, Select the ADD button
5, Then, from the list with the permissions entries, add the users or groups you do not want them to create the user account.
In the Type checkbox, select: Deny
In the Applies to dropdown box select: This Object and all descendant objects
6, Click "Clear all" and then check "Create User objects". For example:
7, When the user tried to create the user account, Access is denied was shown. For example:
Hope the information is helpful. We could kindly have a recheck whether it is helpful to solve our issue. For any question, please feel free to contact us.
Best regards,
Hannah Xiong
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.