Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Hide non-delegated objects in AD...

Posted on 2006-06-19
8
Medium Priority
?
684 Views
Last Modified: 2008-05-30
Hello--

We have a terminal server hosting applications for several clients.  We're organizing things by putting each client's users into their own OU.  One of these clients has reqested control over their OU and the users/groups in there.  I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, etc).  Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks
-- tayyab
0
Comment
Question by:tayyabyunus
8 Comments
 
LVL 51

Expert Comment

by:Netman66
ID: 16936633
No, not really.

You can create a Taskpad that is focussed on the OU he has control over, but if he/she is smart enough they can get around that by launching DSA.MSC manually.

You will still require the Admin Tools on the workstation.

0
 
LVL 13

Expert Comment

by:ylandrum
ID: 16937931
The flippant answer is, of course, migrate to Netware...
0
 

Author Comment

by:tayyabyunus
ID: 16945095
After some playing, I found I could create a custom MSC window that limits the user to the one OU (and objects therein), but there's still a problem.

While the user doesn't have permission to change group membership, they're still allowed to go thru the motions of changing groups, which means they're able to see all the group names in AD.  For example, the user can right-click a user account and select to add to a group.  Then they can click the Advanced button and click Find Now, which displays all the groups in the directory (selecting a group and clicking Ok shows an Access Denied error, of course).   I don't like this because we name our groups using the respective company name, so the user would be able to see the other companies on this server.

So I guess this question has changed a bit, but the bottom-line is still there.  Can anyone suggest [a Microsoft solution] of how to allow a user control over an OU, but hide anything and everything outside the OU?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 51

Expert Comment

by:Netman66
ID: 16945251
If the users have only been delegated rights in their own OU, they should not be able to add any user to any group outside their OU.

If they can, something is not setup correctly.

0
 
LVL 1

Expert Comment

by:grigory7811
ID: 16949909
You can hide only non-system containers from client , that is OUs of other clients
Trying to hide system containers (CN=Computers, etc) can cause problems for clients
0
 

Author Comment

by:tayyabyunus
ID: 17055828
Sry for the delay..  other stuff came up.

Netman66:  the user has only been deleegated rights to his own OU, and as I mentioned, they cannot add users to groups outside his OU -- BUT, he is still allowed to browse the other groups in the AD (by going thru the motions of adding a user to another group), which I don't want.

grigory7811:  I am trying to hide non-system containers.  I'm trying to prevent a user (who has been delegated control over his OU) from seeing the groups in other OUs.  I don't care if he sees the group Administrators.  We name our OUs by the client's company name.  I'm trying to prevent this user from seeing those company names.

I've tried many, many things.  I'm ready to accept that this is a flaw in Windows...  surprise surprise.
0
 
LVL 51

Accepted Solution

by:
Netman66 earned 1500 total points
ID: 17057126
Well, any user at all can browse to groups in any OU and list their membership if the Admin Tools are installed.  Basic Users have Read rights to the entire directory and this much can't be removed or their account won't work properly.

0
 

Author Comment

by:tayyabyunus
ID: 17100490
Fair enough. Thanks for the thoughts.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question