Can I configure DRA so Assistant Admins can only create sub-OUs in child OUs, and not in the parent (NETIQKB28189)

goal
Can I configure DRA so Assistant Admins can only create sub-OUs in child OUs, and not in the parent OU?

goal
How do I create an ActiveView so Assistant Admins can create sub-OUs under a child OU only?

fact
Directory and Resource Administrator 6.x

fact
Directory and Resource Administrator 7.x

fix

If you have a parent OU with child OUs and you want to delegate the ability for Assistant Admins to create sub-OU containers only in the child OU, you can create an ActiveView that only allows Assistant Admins to create sub-OU containers in the child OU.

To delegate the ability to create sub-OUs only in a child OU in DRA 6.x:

1. Log on to a computer where you have installed the DRA MMC console with an Assistant Admin account with the Built-in Security role.
2. Open the DRA MMC console.
3. Expand ActiveView management.
4. Select ActiveViews, and then click New.
5. Type in a name for the ActiveView, and then click Finish.
6. On the Add objects window, in the Which objects do you want to include in this ActiveView area, select Include OU, and then click Next.
7. On the Add objects window, in the From where to you want to select objects for this ActiveView area, select in specific domain.
8. In the Rule Description area, select the domain, and then click OK.
9. Click Next.
10. On the Add objects window, in the What are the criteria for this object area, select Specific OU.
11. In the Rule Description area, select the OU, and then click OK.
12. Click Next.
13. On the Add objects window, in the Which type of members are managed by this rule area, select the OUs check box, and then click Next.
14. On the Add objects window, in the Add any restrictions area, deselect all options, and then click Next.
15. Type a name for the rule, and then click Finish.
16. In the What would you like to do next? window, click Assign Assistant Admins.
17. Click Add Users.
18. Select the user from the list, and then click Add.
19. Click OK, and then click Next.
20. Click Add Powers.
21. Expand the Organizational Units node, and then expand the Create an OU node.
22. Select the All Properties - Create an OU power, and then click Add.
23. Click Next.
24. Click Finish.

To delegate the ability to create sub-OUs only in a child OU in DRA 7.x:

1. Log on to a computer where you have installed the Delegation and Configuration console with an Assistant Admin account with the Manage Security Model role.
2. Open the Delegation and Configuration console.
3. Expand Delegation Management.
4. On the Tasks menu, select NewActiveView.
5. Click Next.
6. Click Add, and then select Objects that match a rule.
7. Select Organizational Units.
8. Click Any OU, and then select Specific OU.
9. Select the desired OU.
10. Click OK.
11. Right-click the selected OU, and then click Manage Specific Object Types in OU.
12. Ensure only the Organizational Units check box is selected. Clear all other check boxes.
13. Click OK.
14. Click OK.
15. Click Next.
16. Type a name and description for the ActiveView.
17. Click Next.
18. On the Summary window, ensure the I want to delegate po.
    wer over this ActiveView after I finish this wizard check box is selected.
19. Click Finish.
20. On the Welcome to the Delegation Wizard window, click Next.
21. Click Add, and then select Users.
22. Type the name of the desired user in the text box, and then click Find Now.
23. Select the user, and then click Add.
24. Click OK, and then click Next.
25. On the specify Roles and Powers window, click Add, and then select Powers.
26. In the text box, type Create OU, and then click Find Now.
27. Select Create OU and Modify All Properties, and then click Add.
28. Click OK.
29. Click Finish.

.

Formerly known as NETIQKB28189