OU Delegation Permissions Reports

4 Reports
About OU Delegation Permissions Reports

OU Delegation Permissions Reports audit the security permissions assigned to Organizational Unit objects in Active Directory. Review who has been delegated administrative control over OUs, including the ability to manage users, groups, computers, and other objects within each OU.

Delegation Auditing

Review all OU permissions

Inheritance Analysis

Inherited vs explicit rights

Full Control Detection

Find over-privileged access

Example: OU Delegation Permissions Reports in AD Reports

AD Reports OU Delegation Permissions Reports

Available Reports

All Permissions

All delegation permissions on OUs. Provides a complete list of every permission entry on Organizational Unit objects, combining inherited and explicitly set permissions.

Use Cases
  • Full OU permission audit baseline
  • SOX / compliance access reviews
  • Privilege review before AD restructuring
  • Identify non-standard delegations
Key Information
  • OU Distinguished Name
  • Trustee (account or group)
  • Permission type (read/write/full)
  • Inheritance flag and object class scope
Tip: Include this report in quarterly access reviews to catch permission creep before it becomes a security risk.
Inherited Permissions

Inherited delegation permissions on OUs. Shows permissions that flow down from parent containers via the AD inheritance model.

Use Cases
  • Understand permission flow from parent OUs or domain root
  • Verify expected inheritance hasn't been broken
  • Establish permission baseline for new OU structures
Key Information
  • Source container (origin of the inherited permission)
  • Trustee account or group
  • Permission type
  • Propagation scope
Not Inherited (Explicit)

Explicitly set delegation permissions on OUs. These permissions were manually configured directly on OU objects, representing intentional administrative delegation decisions.

Use Cases
  • Detect custom delegations granted without documentation
  • Identify OUs with non-standard access models
  • Change tracking for compliance audits
Key Information
  • Trustee account or group
  • Explicit permission type
  • Object class restriction (user/computer/all)
  • OU Distinguished Name
Important: Explicit permissions override inheritance and can be difficult to track. Audit these regularly to prevent privilege accumulation.
Full Control

Full Control delegation permissions on OUs. Identifies all accounts that have complete administrative control over OU objects and all child objects within them.

Use Cases
  • Identify accounts with unrestricted control over an OU's objects
  • Priority review for least-privilege enforcement
  • Detect privilege escalation risks
  • Tier 0 administrator access validation
Key Information
  • Trustee account name and type (user/group)
  • OU Distinguished Name
  • Applied-to scope (this object / all descendant objects)
  • Inheritance flag
Critical: Full Control over an OU means the trustee can create, modify, and delete all objects inside it. Limit this to Tier 0 administrator accounts only.
Related Reports
General OU Reports OU hierarchy, names, descriptions
GPO OU Reports GPO links to OUs, inheritance
See These Reports in Action

Try AD Reports free for 14 days — run any of these reports on your own Active Directory.

Download Free Trial View All Features
Back to Report Library Back to Top