AD user modification interface / limited mmc console

Hello Experts,
I have to give a interface to a user not part of it or technical group just to perform a attribute change, how can i do this ? what is the tools available to give to users desktop?
Administrative Tools\Active Directory Users and Computers - this is too much for the user, i would like to limit the AD .i just need to give the users to access few users under one group, nothing else , may be a single OU visible to that user will be fine but the user need to view all users under one particular group,

any help?
thanks
ThushyaAsked:
Who is Participating?
 
minvisConnect With a Mentor Commented:
First of all you need to restrict AD this can be done with "delegation of control".
http://www.activewin.com/win2000/step_by_step/active_directory/delegsteps.shtml
 If you need to set permissions manually selct the advanced features in "active directory users and computers" from the view menu. With advanced features every OU has a security tab.
 
To give users not the whole view of AD you can make a customized mmc:
  • Open mmc (start - run - mmc.exe)
  • File - "add/remove snap-in" - add
  • select "active directory users and computers"
  • Add - close - ok
(If you just open dsa.msc it won't work)
  • now right click the OU that you need
  • Click "new window from here"
  • minimize the active window within the mmc
  • close the full "active directory users and computers" snap-in
  • maximize your OU snap-in

Now you can create a taskpad view to add tasks to your snap-in:
  • right click the OU
  • click "new taskpad view"
  • follow the wizard to create tasks

And finally you can limit the console:
  • File - options
  • select one of the user modes

Now you can save your console as a *.msc file and distribute it to the users that need it.
NOTE: It's very important that you install the adminpak on the client computer, otherwise the clients cannot open it won't work.
 
Good luck!
0
 
Malli BoppeCommented:
I don't think you can have a limited MMC. You can restrict the user to change any thing on that one OU  or you can use third party web tools in the market.
0
 
ThushyaAuthor Commented:
Minvis -:)
this is what exactly i am looking for , i have given the limited rights to attributes through delegating but not convince giving the full AD tree, now i can do the trick - thank you so much.
0
 
ThushyaAuthor Commented:
THANK YOU - YOU ARE GREAT.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.