Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 686
  • Last Modified:

Hide non-delegated objects in AD...

Hello--

We have a terminal server hosting applications for several clients.  We're organizing things by putting each client's users into their own OU.  One of these clients has reqested control over their OU and the users/groups in there.  I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, etc).  Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks
-- tayyab
0
tayyabyunus
Asked:
tayyabyunus
1 Solution
 
Netman66Commented:
No, not really.

You can create a Taskpad that is focussed on the OU he has control over, but if he/she is smart enough they can get around that by launching DSA.MSC manually.

You will still require the Admin Tools on the workstation.

0
 
Yancey LandrumTechnical Team LeadCommented:
The flippant answer is, of course, migrate to Netware...
0
 
tayyabyunusAuthor Commented:
After some playing, I found I could create a custom MSC window that limits the user to the one OU (and objects therein), but there's still a problem.

While the user doesn't have permission to change group membership, they're still allowed to go thru the motions of changing groups, which means they're able to see all the group names in AD.  For example, the user can right-click a user account and select to add to a group.  Then they can click the Advanced button and click Find Now, which displays all the groups in the directory (selecting a group and clicking Ok shows an Access Denied error, of course).   I don't like this because we name our groups using the respective company name, so the user would be able to see the other companies on this server.

So I guess this question has changed a bit, but the bottom-line is still there.  Can anyone suggest [a Microsoft solution] of how to allow a user control over an OU, but hide anything and everything outside the OU?
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
Netman66Commented:
If the users have only been delegated rights in their own OU, they should not be able to add any user to any group outside their OU.

If they can, something is not setup correctly.

0
 
grigory7811Commented:
You can hide only non-system containers from client , that is OUs of other clients
Trying to hide system containers (CN=Computers, etc) can cause problems for clients
0
 
tayyabyunusAuthor Commented:
Sry for the delay..  other stuff came up.

Netman66:  the user has only been deleegated rights to his own OU, and as I mentioned, they cannot add users to groups outside his OU -- BUT, he is still allowed to browse the other groups in the AD (by going thru the motions of adding a user to another group), which I don't want.

grigory7811:  I am trying to hide non-system containers.  I'm trying to prevent a user (who has been delegated control over his OU) from seeing the groups in other OUs.  I don't care if he sees the group Administrators.  We name our OUs by the client's company name.  I'm trying to prevent this user from seeing those company names.

I've tried many, many things.  I'm ready to accept that this is a flaw in Windows...  surprise surprise.
0
 
Netman66Commented:
Well, any user at all can browse to groups in any OU and list their membership if the Admin Tools are installed.  Basic Users have Read rights to the entire directory and this much can't be removed or their account won't work properly.

0
 
tayyabyunusAuthor Commented:
Fair enough. Thanks for the thoughts.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now