arrowtech
asked on
Delegate Control of an OU to create/delete contacts only
Hello,
In Active Directory I want to give a user access to a particular Organisational Unit (OU) so they can only add/remove/modify contacts and contacts only. I've gone through the "Delegate Control" wizard of the OU, added the user I want to be able to modify the OU, selected "Create a custom task to delegate". Next I gave the delegate control of "Only the following objects" for "Contact Objects". I've ticked the "Create/Delete selected objects in this folder" and gave the user full control and finished it.
The question I have is while logged in as that delegated user I can also create domain user accounts. The delegated user cannot add user accounts to the domain/enterprise administrators group which is good but I don't want them to be able to create any type of user account.
If you have any insight it would be much appreciated.
Thanks
Arrowtech
In Active Directory I want to give a user access to a particular Organisational Unit (OU) so they can only add/remove/modify contacts and contacts only. I've gone through the "Delegate Control" wizard of the OU, added the user I want to be able to modify the OU, selected "Create a custom task to delegate". Next I gave the delegate control of "Only the following objects" for "Contact Objects". I've ticked the "Create/Delete selected objects in this folder" and gave the user full control and finished it.
The question I have is while logged in as that delegated user I can also create domain user accounts. The delegated user cannot add user accounts to the domain/enterprise administrators group which is good but I don't want them to be able to create any type of user account.
If you have any insight it would be much appreciated.
Thanks
Arrowtech
you might need to downgrade this full control you gave to the user and granulary assign the permissions
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks Pber.
The other thing which I found I needed to do was, because the user needs the Exchange System Managment tools installed on the workstation they required permission onto Exchange aswell. So in Exchange system manager if you right click the root (server name) and select "Delegate Control" and give the user "Exchange View Only Administrator" this will be adequate for the user to make changes to the OU you specify.
Thanks again.
The other thing which I found I needed to do was, because the user needs the Exchange System Managment tools installed on the workstation they required permission onto Exchange aswell. So in Exchange system manager if you right click the root (server name) and select "Delegate Control" and give the user "Exchange View Only Administrator" this will be adequate for the user to make changes to the OU you specify.
Thanks again.