Hello Alexandre,
Yes, there is a way to do this, but a Security Role only is not enough to achieve the task. To do that, you need to create a Security Role and a Business Rule. The Security Role will allow users to create new user accounts, and the Business Rule will cancel the operation if a new user is created in an OU other than the users' own OU. To implement this:
I. Create Security Role that allows creating new user accounts
For information on how to create a Security Role that allows creating new user accounts, see the Grant Rights to Create Users Tutorial. On step 8, select All Objects.
II. Create Business Rule that cancels the operation
To create a Business Rule that cancels the operation if a new account is created in another OU than the user's own Organizational Unit:
-
Create a new Business Rule.
-
On Step 2 of the Create Business Rule wizard, select User and Before Creating a User.
-
On Step 3, add the Run a program or PowerShell script action and paste the following script:
if ("%adm-InitiatorParentDN%" -ine "%adm-ParentDN%")
{
$Context.Cancel("You are not allowed to create users outside your Organizational Unit") # TODO: Modify me
}
-
Enter a short description and click OK.
-
On the final step, include All Objects in the Activity Scope.