diff --git a/ucs-school-ldap-acls-master/65ucsschool b/ucs-school-ldap-acls-master/65ucsschool
index 38b2baa86..6ce2d05c9 100644
--- a/ucs-school-ldap-acls-master/65ucsschool
+++ b/ucs-school-ldap-acls-master/65ucsschool
@@ -281,6 +281,14 @@ access to dn.regex="^(.+,)?cn=(users|kerberos|computers),@%@ldap/base@%@$$"
 	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
 	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
 	by * +0 break
+
+# Schulserver duerfen die Passwoerter aller globalen Non-School-OU-Objekte replizieren
+access to dn.regex="^(.+,)?ou=([^,]+),@%@ldap/base@%@$$" filter="(!(objectClass=ucsschoolOrganizationalUnit))"
+	by group/univentionGroup/uniqueMember="cn=DC-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+	by group/univentionGroup/uniqueMember="cn=Member-Verwaltungsnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+	by group/univentionGroup/uniqueMember="cn=DC-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+	by group/univentionGroup/uniqueMember="cn=Member-Edukativnetz,cn=ucsschool,cn=groups,@%@ldap/base@%@" +rscxd
+	by * +0 break
 """
 
 print replace_ucr_variables(aclset)