Solved

Windwos 2003 Delegate Control

Posted on 2014-03-28
3
293 Views
Last Modified: 2014-03-31
Hi,

Is it possible to hide the OUs from a group that I have delegated control to only 1 OU.  So far the user can see all OUs but they are restricted from making changes
0
Comment
Question by:thomasm1948
3 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39963168
Create a custom console or taskpad for them and make them use that rather than ADUC.

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39963627
What you are trying to do is simply not required \ possible because access based enumeration feature is not enabled \ available with ADUC as far as I know.

Every domain user is authenticated user and if he logon to management workstation \ DC, he can view all AD OUs \ containers and all underneath objects, this is by default right granted by AD.
But it not means that every user get any write permissions in AD
The standard users get only read rights through out entire domain
That is why you need to delegate OU control to your OU admins in order to get rights to modify \ make changes

However if you want, You can restrict delegated users from viewing unnecessary OUs. You need to do that per OU basis and from OU properties \ security properties
All you need to do is to provide deny read permissions to delegated users \ groups on respective OU
Now when users will logon to ADUC, they can't able to locate OU in ADUC, instead they will look root OU object as unknown object in right hand side pen \ explorer area in active directory
if you have 100s of OU, then you can't \ don't want to do this manually as there is no automation \ software out there to do this task

Again you can't block users on domain root container and allow them specific OU because as soon as you block them at root level, they will simply fail to open ADUC

The best way I can see is to just delegate them on their specific OU with required rights

Mahesh.
0
 

Author Closing Comment

by:thomasm1948
ID: 39966325
Thank you, that worked
0

Join & Write a Comment

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Setting up a Microsoft WSUS update system is free relatively speaking if you have hard disk space and processor capacity.   However, WSUS can be a blessing and a curse. For example, there is nothing worse than approving updates and they just have…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now