Solved

Hide non-delegated objects in AD...

Posted on 2006-06-19
8
674 Views
Last Modified: 2008-05-30
Hello--

We have a terminal server hosting applications for several clients.  We're organizing things by putting each client's users into their own OU.  One of these clients has reqested control over their OU and the users/groups in there.  I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, etc).  Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks
-- tayyab
0
Comment
Question by:tayyabyunus
8 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16936633
No, not really.

You can create a Taskpad that is focussed on the OU he has control over, but if he/she is smart enough they can get around that by launching DSA.MSC manually.

You will still require the Admin Tools on the workstation.

0
 
LVL 13

Expert Comment

by:ylandrum
ID: 16937931
The flippant answer is, of course, migrate to Netware...
0
 

Author Comment

by:tayyabyunus
ID: 16945095
After some playing, I found I could create a custom MSC window that limits the user to the one OU (and objects therein), but there's still a problem.

While the user doesn't have permission to change group membership, they're still allowed to go thru the motions of changing groups, which means they're able to see all the group names in AD.  For example, the user can right-click a user account and select to add to a group.  Then they can click the Advanced button and click Find Now, which displays all the groups in the directory (selecting a group and clicking Ok shows an Access Denied error, of course).   I don't like this because we name our groups using the respective company name, so the user would be able to see the other companies on this server.

So I guess this question has changed a bit, but the bottom-line is still there.  Can anyone suggest [a Microsoft solution] of how to allow a user control over an OU, but hide anything and everything outside the OU?
0
 
LVL 51

Expert Comment

by:Netman66
ID: 16945251
If the users have only been delegated rights in their own OU, they should not be able to add any user to any group outside their OU.

If they can, something is not setup correctly.

0
 
LVL 1

Expert Comment

by:grigory7811
ID: 16949909
You can hide only non-system containers from client , that is OUs of other clients
Trying to hide system containers (CN=Computers, etc) can cause problems for clients
0
 

Author Comment

by:tayyabyunus
ID: 17055828
Sry for the delay..  other stuff came up.

Netman66:  the user has only been deleegated rights to his own OU, and as I mentioned, they cannot add users to groups outside his OU -- BUT, he is still allowed to browse the other groups in the AD (by going thru the motions of adding a user to another group), which I don't want.

grigory7811:  I am trying to hide non-system containers.  I'm trying to prevent a user (who has been delegated control over his OU) from seeing the groups in other OUs.  I don't care if he sees the group Administrators.  We name our OUs by the client's company name.  I'm trying to prevent this user from seeing those company names.

I've tried many, many things.  I'm ready to accept that this is a flaw in Windows...  surprise surprise.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 500 total points
ID: 17057126
Well, any user at all can browse to groups in any OU and list their membership if the Admin Tools are installed.  Basic Users have Read rights to the entire directory and this much can't be removed or their account won't work properly.

0
 

Author Comment

by:tayyabyunus
ID: 17100490
Fair enough. Thanks for the thoughts.
0

Join & Write a Comment

I. Introduction There's an interesting discussion going on now in an Experts Exchange Group — Attachments with no extension (http://www.experts-exchange.com/discussions/210281/Attachments-with-no-extension.html). This reminded me of questions tha…
I use more than 1 computer in my office for various reasons. Multiple keyboards and mice take up more than just extra space, they make working a little more complicated. Using one mouse and keyboard for all of my computers makes life easier. This co…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now