How to manage OUs

"An Organizational Unit (OU) in Active Directory is like a folder used to organize users, groups, computers, and other objects within a domain. OUs help structure the network logically, often by department, location, or function. They make it easier to manage and apply policies, such as security settings or software installations, to specific groups of objects. By using OUs, administrators can delegate control, improve organization, and simplify management without affecting the entire domain."

Creating one is really easy, and moving objects into it is also straight forward. We first open ADUC and right clikc into our Domain container.

I'll name this one "Restricted Administrators", where I'll place sensible accounts members of Server Operators, Backup Operators and Account Operators. I'll move three uses over the new OU, just by cutting and pasting. Since it is a sensitive OU, I'll remove the right for Authenticated Users to read. This way, enumeration should be way harder.

We can delegate control over a trusted group (like infrastructure managers), which will be allowed to, for example, create, delete and manage user accounts.

Running BloodHound should now reveal the following:

Since the group can manage users inside the OU, it has now GenericAll over them. Note that we could also move computers into this OU, but it's not realistic to move computers into an admin's OU.

Written by ruycr4ft