mordiglio
asked on
Grant Admin right for an OU in a different Domain
Hi Experts,
I'm looking for a way of giving a user/group control of a OU that exist in our AD, so that they can add/remove users; reset passwords and create mailboxes.
The Exchange server is in London, on the London Domain. Users from all other sites/Domains also exist in AD in the London Domain. A site-to-site VPN is used to connect sites globally to our Exchange server.
There is no trust relationship between the different Domains. A OU containing each user and groups has been set up in AD for each site.
I have already delegated control of each OU and set the delegated rights to Exchange Administrator.
I have also restrict viewing of the specific OUs in MMC to limit access to what users can see.
What do I need to do next to allow administrators from other sites to manage users in their respective OU?
Thank you in advance
I'm looking for a way of giving a user/group control of a OU that exist in our AD, so that they can add/remove users; reset passwords and create mailboxes.
The Exchange server is in London, on the London Domain. Users from all other sites/Domains also exist in AD in the London Domain. A site-to-site VPN is used to connect sites globally to our Exchange server.
There is no trust relationship between the different Domains. A OU containing each user and groups has been set up in AD for each site.
I have already delegated control of each OU and set the delegated rights to Exchange Administrator.
I have also restrict viewing of the specific OUs in MMC to limit access to what users can see.
What do I need to do next to allow administrators from other sites to manage users in their respective OU?
Thank you in advance
ASKER
Hi Martin
Thank you for the prompt response
I apologize if my explanation was a bit confusing
Users are all in different domains. LA; NY; London Brussels; Sydney; etc., all different domains. Accounts exist on their domain and also on the London Domain where the Exchange resides, but in actual fact, the only thing these accounts have in common (between London and the other locations) is the username. Every account is managed locally by the local administrator and every time they need to create a mailbox or change a password for one of their users, they need to ask me to create the same user in our domain and create a mailbox; enable/disable accounts etc. I would like to give the administrators from each location control of their users on the Exchange Domain.
I know we could have done things very differently, but things happened so fast.
Eventually every location will have their mail server
Thanks again
Thank you for the prompt response
I apologize if my explanation was a bit confusing
Users are all in different domains. LA; NY; London Brussels; Sydney; etc., all different domains. Accounts exist on their domain and also on the London Domain where the Exchange resides, but in actual fact, the only thing these accounts have in common (between London and the other locations) is the username. Every account is managed locally by the local administrator and every time they need to create a mailbox or change a password for one of their users, they need to ask me to create the same user in our domain and create a mailbox; enable/disable accounts etc. I would like to give the administrators from each location control of their users on the Exchange Domain.
I know we could have done things very differently, but things happened so fast.
Eventually every location will have their mail server
Thanks again
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
if you are talking about single domain environment (as I understood), there is nothing to be done on the side of AD. It's not about sites actually. Any user can administers any OU within a domain - if given delegated authority.
If you ask how to achieve the goal practically - it depends on you and the exact requirements. I think it's enough to distribute the Adminpak to your users who have been delegated authority (or as you mentioned you custimzed the MMC console you can deliver this one).
To give some summary: it's not about a sites, it's more about domain membership. If a users is a member of domain, you can grant him neccessary privilegues.
HTH.