Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Delegation read only to certain AD folders

Posted on 2011-09-26
5
Medium Priority
?
381 Views
Last Modified: 2012-05-12
Ok, I know of the delegation wizard, and installing the adminpak.msi for a user you want to delegate certain functions. This is my scenario, I want to give the adminpak to a user to have read only, but on only certain folders/OU's in AD. If the user connects using UAC they connect with no problem with read only. Why, when I have not set any permissions. And is there a best practice for this scenario where to allow certain folders/OU's read only access and others not even able to click on?
I can certainly add the user to each, read on some and deny on others, but this seems a bit much. Any suggestions?
Thanks
0
Comment
Question by:hcalbre
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 4

Accepted Solution

by:
mustang83 earned 2000 total points
ID: 36601781
Create Taskpads.

http://www.petri.co.il/create_taskpads_for_ad_operations.htm

You can create a task pad that only shows them what you want them to see.
0
 

Author Comment

by:hcalbre
ID: 36602245
Taskpads looks like a user friendly form of the delegation wizard, however, it still does not accomplish what I'm looking for.
I want to load adminpak.msi on a regular users machine and have them connect to AD UAC with read only, but either not see or not be able to open certain OU's. So far, I can only accomplish the disappearing OU's by adding the user to the OU and choosing deny.
In addition, it seems as if nothing is preventing a regular user from adding an mmc snapin of AD UAC and viewing read only, which I find strange.
0
 
LVL 4

Expert Comment

by:mustang83
ID: 36708082
Yes taskpads were designed so you can give normal users certain views that the administrator wants them to see.

Installing adminpak is designed for administrators.  i'd say that what you are trying to do will cause massive administrative overhead.

You can create a taskpad which just tabs all the ou's you want them to have access to. That will solve the only showing them what ou you want.

I beleive all users have read only access to Active Directory UAC so a taskpad is all you need.

Id say you need to create a group policy to stop certain users from playing around with users and computers.
0
 

Author Comment

by:hcalbre
ID: 36710351
Ok, using the MMC method, users by default have read only. How do you make the TaskPad hide certain OU's? Essentially, since read only already exists, I just need to hide a few OU's within the MMC of AD UAC.
0
 
LVL 4

Expert Comment

by:mustang83
ID: 36711846
you cannot hide ous without adding the users to each ou and choosing deny as you described above.

you can right click create new task pad view on every ou you want the users to see.

if there are lots of ous you want them to see, it might get a bit messy.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question