Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Hide non-delegated objects in AD...

Posted on 2006-06-19
8
677 Views
Last Modified: 2008-05-30
Hello--

We have a terminal server hosting applications for several clients.  We're organizing things by putting each client's users into their own OU.  One of these clients has reqested control over their OU and the users/groups in there.  I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, etc).  Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks
-- tayyab
0
Comment
Question by:tayyabyunus
8 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16936633
No, not really.

You can create a Taskpad that is focussed on the OU he has control over, but if he/she is smart enough they can get around that by launching DSA.MSC manually.

You will still require the Admin Tools on the workstation.

0
 
LVL 13

Expert Comment

by:ylandrum
ID: 16937931
The flippant answer is, of course, migrate to Netware...
0
 

Author Comment

by:tayyabyunus
ID: 16945095
After some playing, I found I could create a custom MSC window that limits the user to the one OU (and objects therein), but there's still a problem.

While the user doesn't have permission to change group membership, they're still allowed to go thru the motions of changing groups, which means they're able to see all the group names in AD.  For example, the user can right-click a user account and select to add to a group.  Then they can click the Advanced button and click Find Now, which displays all the groups in the directory (selecting a group and clicking Ok shows an Access Denied error, of course).   I don't like this because we name our groups using the respective company name, so the user would be able to see the other companies on this server.

So I guess this question has changed a bit, but the bottom-line is still there.  Can anyone suggest [a Microsoft solution] of how to allow a user control over an OU, but hide anything and everything outside the OU?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Netman66
ID: 16945251
If the users have only been delegated rights in their own OU, they should not be able to add any user to any group outside their OU.

If they can, something is not setup correctly.

0
 
LVL 1

Expert Comment

by:grigory7811
ID: 16949909
You can hide only non-system containers from client , that is OUs of other clients
Trying to hide system containers (CN=Computers, etc) can cause problems for clients
0
 

Author Comment

by:tayyabyunus
ID: 17055828
Sry for the delay..  other stuff came up.

Netman66:  the user has only been deleegated rights to his own OU, and as I mentioned, they cannot add users to groups outside his OU -- BUT, he is still allowed to browse the other groups in the AD (by going thru the motions of adding a user to another group), which I don't want.

grigory7811:  I am trying to hide non-system containers.  I'm trying to prevent a user (who has been delegated control over his OU) from seeing the groups in other OUs.  I don't care if he sees the group Administrators.  We name our OUs by the client's company name.  I'm trying to prevent this user from seeing those company names.

I've tried many, many things.  I'm ready to accept that this is a flaw in Windows...  surprise surprise.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17057126
Well, any user at all can browse to groups in any OU and list their membership if the Admin Tools are installed.  Basic Users have Read rights to the entire directory and this much can't be removed or their account won't work properly.

0
 

Author Comment

by:tayyabyunus
ID: 17100490
Fair enough. Thanks for the thoughts.
0

Featured Post

Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question