Avatar of mordiglio
 asked on

Grant Admin right for an OU in a different Domain

Hi Experts,
I'm looking for a way of giving a user/group control of a OU that exist in our AD, so that they can add/remove users; reset passwords and create mailboxes.
The Exchange server is in London, on the London Domain. Users from all other sites/Domains also exist in AD in the London Domain. A site-to-site VPN is used to connect sites globally to our Exchange server.
There is no trust relationship between the different Domains. A OU containing each user and groups has been set up in AD for each site.
I have already delegated control of each OU and set the delegated rights to Exchange Administrator.
I have also restrict viewing of the specific OUs in MMC to limit access to what users can see.
What do I need to do next to allow administrators from other sites to manage users in their respective OU?
Thank you in advance
Active DirectoryExchangeWindows Server 2003

Avatar of undefined
Last Comment

8/22/2022 - Mon

if you are talking about single domain environment (as I understood), there is nothing to be done on the side of AD. It's not about sites actually. Any user can administers any OU within a domain - if given delegated authority.
If you ask how to achieve the goal practically - it depends on you and the exact requirements. I think it's enough to distribute the Adminpak to your users who have been delegated authority (or as you mentioned you custimzed the MMC console you can deliver this one).
To give some summary: it's not about a sites, it's more about domain membership. If a users is a member of domain, you can grant him neccessary privilegues.

Hi Martin
Thank you for the prompt response

I apologize if my explanation was a bit confusing
Users are all in different domains. LA; NY; London Brussels; Sydney; etc., all different domains. Accounts exist on their domain and also on the London Domain where the Exchange resides, but in actual fact, the only thing these accounts have in common (between London and the other locations) is the username. Every account is managed locally by the local administrator and every time they need to create a mailbox or change a password for one of their users, they need to ask me to create the same user in our domain and create a mailbox; enable/disable accounts etc. I would like to give the administrators from each location control of their users on the Exchange Domain.
I know we could have done things very differently, but things happened so fast.
Eventually every location will have their mail server
Thanks again

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.