?
Solved

Hide non-delegated objects in AD...

Posted on 2006-06-19
8
Medium Priority
?
683 Views
Last Modified: 2008-05-30
Hello--

We have a terminal server hosting applications for several clients.  We're organizing things by putting each client's users into their own OU.  One of these clients has reqested control over their OU and the users/groups in there.  I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, etc).  Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks
-- tayyab
0
Comment
Question by:tayyabyunus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16936633
No, not really.

You can create a Taskpad that is focussed on the OU he has control over, but if he/she is smart enough they can get around that by launching DSA.MSC manually.

You will still require the Admin Tools on the workstation.

0
 
LVL 13

Expert Comment

by:ylandrum
ID: 16937931
The flippant answer is, of course, migrate to Netware...
0
 

Author Comment

by:tayyabyunus
ID: 16945095
After some playing, I found I could create a custom MSC window that limits the user to the one OU (and objects therein), but there's still a problem.

While the user doesn't have permission to change group membership, they're still allowed to go thru the motions of changing groups, which means they're able to see all the group names in AD.  For example, the user can right-click a user account and select to add to a group.  Then they can click the Advanced button and click Find Now, which displays all the groups in the directory (selecting a group and clicking Ok shows an Access Denied error, of course).   I don't like this because we name our groups using the respective company name, so the user would be able to see the other companies on this server.

So I guess this question has changed a bit, but the bottom-line is still there.  Can anyone suggest [a Microsoft solution] of how to allow a user control over an OU, but hide anything and everything outside the OU?
0
NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

 
LVL 51

Expert Comment

by:Netman66
ID: 16945251
If the users have only been delegated rights in their own OU, they should not be able to add any user to any group outside their OU.

If they can, something is not setup correctly.

0
 
LVL 1

Expert Comment

by:grigory7811
ID: 16949909
You can hide only non-system containers from client , that is OUs of other clients
Trying to hide system containers (CN=Computers, etc) can cause problems for clients
0
 

Author Comment

by:tayyabyunus
ID: 17055828
Sry for the delay..  other stuff came up.

Netman66:  the user has only been deleegated rights to his own OU, and as I mentioned, they cannot add users to groups outside his OU -- BUT, he is still allowed to browse the other groups in the AD (by going thru the motions of adding a user to another group), which I don't want.

grigory7811:  I am trying to hide non-system containers.  I'm trying to prevent a user (who has been delegated control over his OU) from seeing the groups in other OUs.  I don't care if he sees the group Administrators.  We name our OUs by the client's company name.  I'm trying to prevent this user from seeing those company names.

I've tried many, many things.  I'm ready to accept that this is a flaw in Windows...  surprise surprise.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 17057126
Well, any user at all can browse to groups in any OU and list their membership if the Admin Tools are installed.  Basic Users have Read rights to the entire directory and this much can't be removed or their account won't work properly.

0
 

Author Comment

by:tayyabyunus
ID: 17100490
Fair enough. Thanks for the thoughts.
0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question