Limiting admin privledges on certain OUs

1. At work, I have administrative privledges to only certain OUs.  Other network administrators (from different organizations )  take care of the other OUs.  How do you limit it in Active Directory so that only certain Network Admins have admin rights to OUs???    


2. Do you have to be a domain admin in order to be able to create/delete/move users?  I am able to do this, but I am not sure if Im a domain admin or not...

Thanks
dissolvedAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

WeHeCommented:
you can delegate rights for each OU.
open AD Users & Computers
Activate View -> Advanced Features.
right click any OU -> Properties -> Security.

But you should use the "Delegate Control" Wizard to grant rights on OU's.
It's much easier and meets most needs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WeHeCommented:
2) the rights to create/delete/change objects (users) are set there too.
0
Debsyl99Commented:
Hello again Dissolved,

1) For your answer to question 1, I expect that the following maybe involved:
HOW TO: Delegate Administrative Authority in Windows 2000
http://support.microsoft.com/default.aspx?scid=kb;en-us;315676&sd=tech
Delegation of Control
http://www.winnetmag.com/Windows/Article/ArticleID/22555/22555.html
2) For your answer to question 2) - No you don't but, if you aren't a member of domain admins then I think that you need this right to be delegated to you. I am not at my domain right now so cannot answer authoritatively right now - more off the top of my head, but the tool below will should tell you which security groups you are a member of on a w2k domain. You may then be able to query active directory as to the permissions that apply to OU's etc for security/ control on the groups that you are a member of,
Gpresult.exe: Group Policy Results
http://www.microsoft.com/windows2000/techinfo/reskit/tools/existing/gpresult-o.asp

Deb :))
0
Cloud Class® Course: Microsoft Windows 7 Basic

This introductory course to Windows 7 environment will teach you about working with the Windows operating system. You will learn about basic functions including start menu; the desktop; managing files, folders, and libraries.

dissolvedAuthor Commented:
Thanks. So I think I probably am just delegated rights to create/delete users for my OU.   I cannot create GPO objects so that  tells me that I am probably not a domain admin.

By the way, how do you remove the delegation once you add it?
0
WeHeCommented:
> By the way, how do you remove the delegation once you add it?
you reset the permissions by deleting all rights and switching on inheritance from parent.
0
Debsyl99Commented:
In pretty much the same way you created it - you just login with domain admin or the relevant permission-assigned login and delete/amend the permissions from the OU that you delegated the permissions to. I am fortunate in that I'm the Enterprise Admin - But if your admins are anything like me, they will be ultra-protective and careful about what you can and can't do unless they really really really trust you. It's really sad I know.....



0
Debsyl99Commented:
Wehe - I think that I just need to set my watch about two minutes faster than it is already - what do you think?    ;-))
0
dissolvedAuthor Commented:
Sorry , but I cannot find out how to ament the permissions once I delegated the duties?  Do I click ACTION > DELEGATE CONTROL and amend it that way?
0
WeHeCommented:
open the security tab in properties of the OU
click on any username and press "del" key.
0
WeHeCommented:
Debsyl99 - shall i wait a minute, next time? :)
Wow. 415 participated questions and 400 answeres?
0
WeHeCommented:
btw, after deleting all, click on "advanced".
check "Allow inheritable permissions from the parent ....." -> Ok
0
dissolvedAuthor Commented:
Not seeing a Security Tab. When I right click on the OU I delegated, I choose properties.

That reveals 3 tabs:  GENERAL , MANAGED BY, and GROUP POLICY
0
Debsyl99Commented:
Wehe - Lol yes and give me a fighting chance ;-)) (Actually it's 404/416 but I am tremendously flattered that you checked and noticed - What can I say? I am a female geek with a British accent).

Unfortunately  I'm not at my domain right now so if you can give a step-by-step walk-through Wehe, then by all means take it from here. My memory is pretty good, but it ain't THAT good - Don't forget to mention task-pad views etc if you get a chance - uneducated users can cope with them much better ;-))
0
WeHeCommented:
you have to activate: View -> Advanced Features on the menu of your mmc
0
Debsyl99Commented:
Good luck guys - I'll check-in in the morning and offer assistance if it's required - looks like maybe you'll have it resolved by then though,
Best wishes to you both
Deb :))
0
dissolvedAuthor Commented:
thanks!  Thanks Debsyl99!  
0
Debsyl99Commented:
Thanks - you did get your solution then Dissolved? My email has been been beeping so quickly I lost track!

Wehe - Nice to work with you ;-)) - Catch you both again no doubt,

Deb x
0
dissolvedAuthor Commented:
Yes, got the solution. Thanks again to both of you.
0
Debsyl99Commented:
That's most good :)) I'll  no doubt catch you again , but I am leaving you positive feedback for being extremely good to work with - If you feel like doing the same for us both (me and Wehe) we will be eternally grateful - by assisting you as much as possible in the future, if and when we can :))
Deb :))
0
Debsyl99Commented:
Hi Dissolved,
Check out your feedback in your profile - thanks again - You are an example of the perfect Author!
Take care and all the best,
Deb :))
0
WeHeCommented:
thanks for fast interaction. nice to see a fast solution delivery :)
i agree with Debsyl on leaving a positive feedback, even i can't say it in such a nice manner.
0
Debsyl99Commented:
lol - I beat you on one thing tonight then Wehe? Because it certainly wasn't keyboard speed ;-)) Be seeing you both :-))
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 2000

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.