Domain Admin rights and views

Posted on 2011-10-21
Medium Priority
Last Modified: 2012-05-12
We are migrating our domain to a bigger domain.  currently we have child domain.  The powers that be have taken away my administrator rights and it's a nightmare.  Is there a way for me to be set up on my DC to ONLY SEE my OU so that I can only administer my own OU without seeing or accessing anyone elses?  I thought AD was designed for this.
Question by:WellingtonIS
LVL 13

Expert Comment

ID: 37007238

Author Comment

ID: 37007266
OK let me pass this on.  I'm not understanding it so much but we'll c

Author Comment

ID: 37007730
What does the managed by mean for the OU will that give us rights?
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.


Expert Comment

ID: 37007879
Right Click the OU in question and select the Delegate Control Option.  There is a wizard that they can go through and select everything that they want you to be able to do:


LVL 57

Expert Comment

by:Mike Kline
ID: 37008026
So are you asking to open up ADUC and just see your OU, that you won't get through delegation.  Delegation just delegates rights.

You can create a taskpad view if you want to see less   http://www.petri.co.il/create_taskpads_for_ad_operations.htm

By default authenticated users have read access to most of the directory and that is why you see everything.


LVL 24

Accepted Solution

Sandeshdubey earned 2000 total points
ID: 37009897
You can achieve the same by assignning deny permission.On the OU whcih you dont want the user to view the OU go to security setting and add the user with deny pemission.

Once the deny permission is assigned to user on specific OU the user won't be able to view the OU when he opens Active Directory users and computer.

I would personally will recommend to use delegation option.If the User is added to admin group remove the same and deleagte control on OU.But this will have atleast read permission on other OUs.

If you have multiple users who act as admin you can achieve the same as below

Create a group like "helpdesk admins" then open Active Directory Users & Computers MMC snap-in right click on OU where you want them to give rights, if you want give them rights over whole domain then right click on domain name, select delegate control option.

In the resulting wizard select the group you created earlier "helpdesk admins" click next then click Create a Custom Task to delegate then click next.Select which tasks the groups will be able to perform.

Refernce link:http://www.windowsecurity.com/articles/Implementing-Active-Directory-Delegation-Administration.html


Author Closing Comment

ID: 37176451
sorry it took so long for me to close this.  I'm busy migrating the domain.

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question