Solved

Delegate control of an OU

Posted on 2003-12-11
3
5,785 Views
Last Modified: 2010-02-01
Hi all,
I want to create several OU's. I need to then create an account that has the rights to add/remove computers. Reset or change passwords. I have looked at the delegation wizard but I am not sure this is what I want to do. Also when you add a machine to the domain the default location is the computers OU. Is there a way to associate who is adding the computer account to only go to the OU they have control over. This way I wouldn't have to check the default location and move computer accounts every morning.
Thanks for your help I love this web site.

Ryan
0
Comment
Question by:RyanFair
  • 2
3 Comments
 
LVL 57

Accepted Solution

by:
Pete Long earned 250 total points
ID: 9920727
Hi RyanFair,
One of Active Directory's (AD's) many benefits is that it’s easy for the network administrator to set up an administrator to manage a specific organizational unit (OU). If you haven’t already organized your users into OUs, consider doing so to make your network more manageable. When a client company has multiple office locations, I typically set up an OU for each office. In general, I prefer an AD design that's broad and shallow as opposed to narrow and deep. An OU administrator will have all the rights that the Administrator has, except the OU administrator will have those rights only for the designated OU. Complete the following steps to create an OU administrator on your network.
1. Create the OU (if you haven’t already done so)—Click Start, Programs, Administrative Tools, Active Directory Users and Computers to open the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. Right-click the domain (or desired location) and select New, Organizational Unit. I suggest establishing a naming convention for your OUs and anything else you create in AD.
2. Move Users to the new OU—As you know, new users are created in the Users container by default. If you already have users created in the Users container, you can move any of these users to the new OU. To do so, simply right-click the user, select Move, then select the desired OU. You can move multiple users at the same time by using Ctrl+click to select the appropriate users, then drag the selected users into the desired OU.
3. Create an OU Administrator User—Start Active Directory Users and Computers. Create a new user in the desired OU, and assign a password.
4. Create an OU Administrators Group in the OU—After doing so, make the OU administrator a member of that group. This approach follows the best practice of assigning rights to a group rather than an individual, then making the user a member of the group. This setup makes future management of the network easier. For example, if you need to grant an existing user OU administrator rights, you can simply make the user a member of the OU Administrators Group, rather than assign the rights individually. If you have a software vendor that must have administrator rights to the OU, you can create a temporary account and password, then add the vendor's account to OU Administrators Group. After the vendor completes the software installation, you can delete the account. This strategy lets the vendor install the software without giving away any administrator passwords. To create the OU Administrators Group, right-click the OU and select New, Group. Make sure to add the user you created in Step 3 to the group you just created.
5. Delegate control of the OU—Start Active Directory Users and Computers. Right-click the desired OU and select Delegate Control. Add the group you created in step 4, and grant the group the appropriate rights for the OU.
6. Delegate control of the Exchange OU—If you're running Microsoft Exchange Server 2000 or later, start the Exchange System Manager (ESM). Open the desired Administrative Group, right-click the group you created in Step 4, and select Delegate Control. Select the desired level of control; typically I set the delegated rights to Exchange Administrator. This approach will let members in the group created in Step 4 act as an Exchange Administrator for users located in a specific Exchange Administrative Group.
7. Grant the Log on Locally right to the domain controller (DC)—This step is necessary if you want to let a user log on to a server acting as a DC. In Active Directory Users and Computers, right-click the Domain Controllers OU. Select Properties, Group Policy, then select the Default Domain Controllers Policy and click Edit. Select Default Domain Controllers Policy, Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment, Log on Locally. Add the group you created in Step 4 to grant the Log on Locally right. Alternatively, you can install the Exchange System Administrator program (AdminPak.msi) on a workstation. To install the program, run setup from the Exchange Server 2003 or Exchange 2000 installation CD-ROM.
8. Refresh the machine policy—For Windows Server 2003 servers, open a command prompt and type

GPUpdate

For Windows 2000 servers, type

secedit /refreshpolicy machine_policy

9. Grant Win2K Server Terminal Services rights—Are you running Terminal Services in remote administration mode? If you want the local administrator to have Terminal Services Administrator access, click Start, Programs, Administrative Tools, Terminal Services Configuration. Right-click RDP-Tcp and select Properties. Click the Permissions tab and select the desired rights for the OU Administrators Group. Of course, you first must install the Terminal Services client on the workstation.

That’s it! After completing these steps, you’re well on your way to making your network easier to manage and more secure.
http://www.winnetmag.com/ActiveDirectory/Article/ArticleID/40820/ActiveDirectory_40820.html

PeteL
0
 
LVL 57

Expert Comment

by:Pete Long
ID: 9921254
ThanQ
0
 

Expert Comment

by:nlbouma
ID: 13322420
I'd like to know how to block the view of the entire AD, i just want to see the delegated ou's. and to exclude groups and users in other ou's
you can see the complete AD when moving users to sub ou or when using find. even when you're using task view.
0

Join & Write a Comment

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now