Non IT Client wants to be able to Configure New Users in Windows 2008 Active Directory

I have a client who wants to be able to set up new users in their Windows 2008 Active Directory.

I could install the RSAT tools on their PC, but I think it's going to be too crowded and complicated for them.

Is it possible to set up a customised MMC where a user can only see the OU that they are allowed administer?

Or alternatively are there any free tools out there with a "Keep it stupid simple" user interface for Active Directory User administration?

Who is Participating?
Mike KlineConnect With a Mentor Commented:
You can create a taskpad for them to see that OU

Technically they will still be able to see other OUs but if you want to lock that down it takes a lot more work.

There are some fairly cheap 3rd party products that can also help.  One example


Will SzymkowskiSenior Solution ArchitectCommented:
Unfortunately when you assign delegated permissions on an OU the users still see the entire strucutre. The parts that they dont see are the Tabs in the properties of an objects. Make sure that Advanced Features is disabled/unchecked as this will show more folders (system folders) in the hierarchy.

Hope this helps
SandeshdubeyConnect With a Mentor Senior Server EngineerCommented:
Why are you trying to disable the view of OU?By default user have read only permission to AD object unless and until additional delegation or permission is given,so viewing the other OU/object is not security violation.

Completely hide OU for users - AD/OU segregation

As you are aware you can install rsat tool to manage the activity.I will never give multiple rights to multiple users.Assign basic permission to few users as per business requirement.

enable auditing to track the actitivites carried out by other admin for securtiy reasons:

Delegating administration

Delegation of Control Wizard
cpadmAuthor Commented:
mkline71's answer was what I was looking for, but I'd also like to thank Sandeshdubey for giving me an alternative way of doing this.

Sandeshdubey - To answer your earlier question (Why are you trying to disable the view of OU?). Non-IT users find the Active Directory Users and Computer's to be confusing and too much information. If they click on an MMC and can only see a single OU, this simplifies the user creation process and saves on helpdesk calls.
Mike KlineCommented:
Glad to help, have a great weekend.


Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.