Organizational Unit Owner Role

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

The forest owner designates an OU owner for each OU that you design for the domain. OU owners are data managers who control a subtree of objects in Active Directory. OU owners can control how administration is delegated, and how policy is applied to objects within their OU. They can also create new subtrees and delegate administration of OUs within that subtree.

Because OU owners do not own or control the operation of the directory service, you can separate ownership and administration of the directory service from ownership and administration of objects, thereby reducing the number of service administrators who have high levels of access.

OUs provide administrative autonomy and the means to control visibility of objects in the directory. OUs provide isolation from other data administrators but they do not provide isolation from service administrators. Although OU owners have control over a subtree of objects, the forest owner retains full control over all subtrees. This enables the forest owner to correct mistakes, such as an error in an access control list (ACL), or to reclaim delegated subtrees when data administrators are terminated