• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 198
  • Last Modified:

Limiting admin privledges on certain OUs

1. At work, I have administrative privledges to only certain OUs.  Other network administrators (from different organizations )  take care of the other OUs.  How do you limit it in Active Directory so that only certain Network Admins have admin rights to OUs???    


2. Do you have to be a domain admin in order to be able to create/delete/move users?  I am able to do this, but I am not sure if Im a domain admin or not...

Thanks
0
dissolved
Asked:
dissolved
  • 9
  • 8
  • 5
2 Solutions
 
WeHeCommented:
you can delegate rights for each OU.
open AD Users & Computers
Activate View -> Advanced Features.
right click any OU -> Properties -> Security.

But you should use the "Delegate Control" Wizard to grant rights on OU's.
It's much easier and meets most needs.
0
 
WeHeCommented:
2) the rights to create/delete/change objects (users) are set there too.
0
 
Debsyl99Commented:
Hello again Dissolved,

1) For your answer to question 1, I expect that the following maybe involved:
HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;315676&sd=tech
Delegation of Control
http://www.winnetmag.com/Windows/Article/ArticleID/22555/22555.html
2) For your answer to question 2) - No you don't but, if you aren't a member of domain admins then I think that you need this right to be delegated to you. I am not at my domain right now so cannot answer authoritatively right now - more off the top of my head, but the tool below will should tell you which security groups you are a member of on a w2k domain. You may then be able to query active directory as to the permissions that apply to OU's etc for security/ control on the groups that you are a member of,
Gpresult.exe: Group Policy Results
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Deb :))
0
Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

 
dissolvedAuthor Commented:
Thanks. So I think I probably am just delegated rights to create/delete users for my OU.   I cannot create GPO objects so that  tells me that I am probably not a domain admin.

By the way, how do you remove the delegation once you add it?
0
 
WeHeCommented:
> By the way, how do you remove the delegation once you add it?
you reset the permissions by deleting all rights and switching on inheritance from parent.
0
 
Debsyl99Commented:
In pretty much the same way you created it - you just login with domain admin or the relevant permission-assigned login and delete/amend the permissions from the OU that you delegated the permissions to. I am fortunate in that I'm the Enterprise Admin - But if your admins are anything like me, they will be ultra-protective and careful about what you can and can't do unless they really really really trust you. It's really sad I know.....



0
 
Debsyl99Commented:
Wehe - I think that I just need to set my watch about two minutes faster than it is already - what do you think?    ;-))
0
 
dissolvedAuthor Commented:
Sorry , but I cannot find out how to ament the permissions once I delegated the duties?  Do I click ACTION > DELEGATE CONTROL and amend it that way?
0
 
WeHeCommented:
open the security tab in properties of the OU
click on any username and press "del" key.
0
 
WeHeCommented:
Debsyl99 - shall i wait a minute, next time? :)
Wow. 415 participated questions and 400 answeres?
0
 
WeHeCommented:
btw, after deleting all, click on "advanced".
check "Allow inheritable permissions from the parent ....." -> Ok
0
 
dissolvedAuthor Commented:
Not seeing a Security Tab. When I right click on the OU I delegated, I choose properties.

That reveals 3 tabs:  GENERAL , MANAGED BY, and GROUP POLICY
0
 
Debsyl99Commented:
Wehe - Lol yes and give me a fighting chance ;-)) (Actually it's 404/416 but I am tremendously flattered that you checked and noticed - What can I say? I am a female geek with a British accent).

Unfortunately  I'm not at my domain right now so if you can give a step-by-step walk-through Wehe, then by all means take it from here. My memory is pretty good, but it ain't THAT good - Don't forget to mention task-pad views etc if you get a chance - uneducated users can cope with them much better ;-))
0
 
WeHeCommented:
you have to activate: View -> Advanced Features on the menu of your mmc
0
 
Debsyl99Commented:
Good luck guys - I'll check-in in the morning and offer assistance if it's required - looks like maybe you'll have it resolved by then though,
Best wishes to you both
Deb :))
0
 
dissolvedAuthor Commented:
thanks!  Thanks Debsyl99!  
0
 
Debsyl99Commented:
Thanks - you did get your solution then Dissolved? My email has been been beeping so quickly I lost track!

Wehe - Nice to work with you ;-)) - Catch you both again no doubt,

Deb x
0
 
dissolvedAuthor Commented:
Yes, got the solution. Thanks again to both of you.
0
 
Debsyl99Commented:
That's most good :)) I'll  no doubt catch you again , but I am leaving you positive feedback for being extremely good to work with - If you feel like doing the same for us both (me and Wehe) we will be eternally grateful - by assisting you as much as possible in the future, if and when we can :))
Deb :))
0
 
Debsyl99Commented:
Hi Dissolved,
Check out your feedback in your profile - thanks again - You are an example of the perfect Author!
Take care and all the best,
Deb :))
0
 
WeHeCommented:
thanks for fast interaction. nice to see a fast solution delivery :)
i agree with Debsyl on leaving a positive feedback, even i can't say it in such a nice manner.
0
 
Debsyl99Commented:
lol - I beat you on one thing tonight then Wehe? Because it certainly wasn't keyboard speed ;-)) Be seeing you both :-))
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 9
  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now