Restricting access in Active Directory Users and Computers

Posted on 2005-05-06
Last Modified: 2011-10-03
Odd request,

is it possible to restrict access in Active directory users and cumputers, say so a user with rights to add users can only view a paticular group or items under a paticular organisational unit and can create users only for that group or under that organisational unit?

If not does anyone know of a third party package that could reside on a client machine and do the above?

Seems like a bit of a tall order I know but any suggestions warmly received.
Question by:mbaldy
    LVL 10

    Accepted Solution

    Do you not want them to see them at all or just limit what they can change?

    You can delegate certain people or groups to manage certain OUs however, I have never tried to restrict viewing of the active directory that what you want to do?
    LVL 18

    Assisted Solution

    Yes...this is actually a very common practice and is built into AD. It is known as Active Directory Delegation. For example,  admins can be assigned control of their particular departmental OU and not the rest of the AD structure.

    Take a look at these links:,295582,sid45_gci1050027,00.html

    Author Comment

    You're both quite right, but what I really need is to give the user access without them having the ability to view other organisation units and their contents, is this possible?  

    Author Comment

    What was i thinking, i've setup a management console containing users and computers, I've drilled down and started a new sheet for the  organisations unit, which has been saved as the only sheet and does exactly what I want, which is restrict the end user so he can modify and view only those users in his organisational unit.

    Cheers guys,

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Threat Intelligence Starter Resources

    Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

    I guess it is not common knowledge to most Wintel engineers/administrators: If you have an SNMP-based monitoring system in your environment (and it's common to have SNMP or Syslog) it's reasonably easy to enable monitoring of the Windows Event logs,…
    Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
    Need more eyes on your posted question? Go ahead and follow the quick steps in this video to learn how to Request Attention to your question. *Log into your Experts Exchange account *Find the question you want to Request Attention for *Go to the e…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now