Non IT Client wants to be able to Configure New Users in Windows 2008 Active Directory

I have a client who wants to be able to set up new users in their Windows 2008 Active Directory.

I could install the RSAT tools on their PC, but I think it's going to be too crowded and complicated for them.

Is it possible to set up a customised MMC where a user can only see the OU that they are allowed administer?

Or alternatively are there any free tools out there with a "Keep it stupid simple" user interface for Active Directory User administration?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Will SzymkowskiSenior Solution ArchitectCommented:
Unfortunately when you assign delegated permissions on an OU the users still see the entire strucutre. The parts that they dont see are the Tabs in the properties of an objects. Make sure that Advanced Features is disabled/unchecked as this will show more folders (system folders) in the hierarchy.

Hope this helps
Mike KlineCommented:
You can create a taskpad for them to see that OU

Technically they will still be able to see other OUs but if you want to lock that down it takes a lot more work.

There are some fairly cheap 3rd party products that can also help.  One example



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
SandeshdubeySenior Server EngineerCommented:
Why are you trying to disable the view of OU?By default user have read only permission to AD object unless and until additional delegation or permission is given,so viewing the other OU/object is not security violation.

Completely hide OU for users - AD/OU segregation

As you are aware you can install rsat tool to manage the activity.I will never give multiple rights to multiple users.Assign basic permission to few users as per business requirement.

enable auditing to track the actitivites carried out by other admin for securtiy reasons:

Delegating administration

Delegation of Control Wizard
cpadmAuthor Commented:
mkline71's answer was what I was looking for, but I'd also like to thank Sandeshdubey for giving me an alternative way of doing this.

Sandeshdubey - To answer your earlier question (Why are you trying to disable the view of OU?). Non-IT users find the Active Directory Users and Computer's to be confusing and too much information. If they click on an MMC and can only see a single OU, this simplifies the user creation process and saves on helpdesk calls.
Mike KlineCommented:
Glad to help, have a great weekend.


It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.