When you are creating a new custom Admin Role in your Admin Console and you need to know which Privileges can be limited to specific OUs and which cannot.
Domain wide privileges, meaning that they cannot be limited to take effect on specific Organizational Units.
- Settings Privileges
- Domain Settings
- Security - Only allowing access for less secure apps is the only setting that can be limited to specific OUs
- Services Privileges
- Google Meet Hardware
All the other Privileges they can be limited to specific OUs, you just need to create the role by selecting privileges you want to grant to the custom admin, then you need to assign a user to that role, when you select the user you will that the role will take effect on the whole organization by default, if you click on the blue letters you will be shown with the OU tree so you can select which OU or Sub OU this role will be assigned to.