Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2444
  • Last Modified:

Hide OUs in Active Directory Users and Computers

I want to delegate permissions to an admin in Active Directory Users and Computers.  I also don't want the admin to see any other containers than the one that is being delegated to him.  Is this possible?
0
ENTPF
Asked:
ENTPF
1 Solution
 
DenverRickCommented:
No.  You can prevent the access by him but he will still see the the containers.  There is no "hidden" feature like there is for Folder shares.
0
 
LauraEHunterMVPCommented:
Actually it is possible, but -extremely- non-trivial. By default, the Authenticated Users group has Read access to nearly the entire directory. You can remove this permission at the domain level and assign Read permissions manually at lower OU levels, but it needs to be carefully tested in a lab environment before deploying to production, as it has the potentical to break a -lot- of applications, including Group Policy.
0
 
DenverRickCommented:
Totally unsupported.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LauraEHunterMVPCommented:
Totally incorrect - google "Confidentiality bit" for some examples, or come to the Directory Experts Conference most years to listen to Guido Grillenmeier or someone else from HP present on it.  Any number of organizations have implemented it, but it is absolutely something that must be done with care and with significant testing.
0
 
minvisCommented:
It can easily be done with MMC.

Open "Active directory users and computers" snap-in in the MMC. Right-click the OU you've delegated en choose open in new window. Close the other window in MMC and save the console as an *.msc file.

If anyone opens this file he/she will see only one OU.

Good luck!
0
 
DatagoCommented:
The "Acceptde Solution" is is not completely correct infact if a domain user install Windows Server 2003 Administration Tools Pack or RSAT can see all ad ou, users, ou and computers.
0
 
khairilCommented:
Hi,

Datoga comment is right, unless you can program youself special tools, having delegation does not mean that all other OUs and it contents are hidden from the user. They just not be able to change/delete it.

-khairil-
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now