Permit a AD user to read user objects only from particular OU

Hi Everyone,

I am very new to PowerShell. I have the below business requirement and I need your help for that.

We have an AD server and there are 1000+ users in it. I want to create a user who can read users and groups inside a particular OU only.

Any help is appreciated.

Default permissions in Active Directory are read access for everyone to the entire directory. Create a new user and you will be able to run most or all GET commands. This is how the directory is designed so that you can see Distribution Lists and other components. Also, before you get any ideas about changing permissions, do a ton of research and you’ll most likely still have downstream impacts on applications that expect a user had read-only permissions to the directory.

True Story. Was working at a company for a couple months and was told to prepare for a SOX audit in a couple weeks. I audit a domain that has 15k accounts that no one has logged on with for 90+ days. To my surprise I look at the description and it’s got passwords stored in the attribute and to make it even worse, all of the accounts are password never expires. This wasn’t just on the 15k un-used accounts, it’s on the bulk of ALL of the accounts. This is when I explained the the VP of IT that we had a bit of work to do.

Hi Rob,

Thanks for the information.