Brent92663
asked on
OUs and delegate control, etc
Here is what I am trying to do.
I want a user to be able to launch ADUC from the adminpak on their desktop, so far so good. HOWEVER i only want them to see ONE OU. nothing else... I supose if they saw the other folders it would be okay, just not the contents.. THEN they need to be able to edit their one OU.
Thanks!
can't you just go into ad as an admin, then right click one of the ou's and choose properties, then click the managed by tab and click change to add rights to the users that should have it
you can also right click the ou and then click delegate control and there is a wizard that will walk you through.
ASKER
this works,, but then they can still see everything else.. is there a way say they only see the one OU?
Hi Brent92663,
no, AD will allow you to belt down security with delegation, but you cannot physically hide portions of AD
no, AD will allow you to belt down security with delegation, but you cannot physically hide portions of AD
Hi Brent92663,
By default "Authenticated Users" have granted List Contents, Read All Properties and Read Permissions through AD and all OUs are inheriting this permission, remove this permission from the OU and set permission to your user/group.
My advice is don't remove this permissions on the domain (just on your OUs) or you can break something.
cheers
By default "Authenticated Users" have granted List Contents, Read All Properties and Read Permissions through AD and all OUs are inheriting this permission, remove this permission from the OU and set permission to your user/group.
My advice is don't remove this permissions on the domain (just on your OUs) or you can break something.
cheers
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I think there was an answer here.
i would agree, i didnt think it was possible but NM showed that there is a efficient way of completing this
ASKER
Sorry I lost track of this one!