Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people, just like you, are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
Solved

Windwos 2003 Delegate Control

Posted on 2014-03-28
3
305 Views
Last Modified: 2014-03-31
Hi,

Is it possible to hide the OUs from a group that I have delegated control to only 1 OU.  So far the user can see all OUs but they are restricted from making changes
0
Comment
Question by:thomasm1948
3 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39963168
Create a custom console or taskpad for them and make them use that rather than ADUC.

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 36

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39963627
What you are trying to do is simply not required \ possible because access based enumeration feature is not enabled \ available with ADUC as far as I know.

Every domain user is authenticated user and if he logon to management workstation \ DC, he can view all AD OUs \ containers and all underneath objects, this is by default right granted by AD.
But it not means that every user get any write permissions in AD
The standard users get only read rights through out entire domain
That is why you need to delegate OU control to your OU admins in order to get rights to modify \ make changes

However if you want, You can restrict delegated users from viewing unnecessary OUs. You need to do that per OU basis and from OU properties \ security properties
All you need to do is to provide deny read permissions to delegated users \ groups on respective OU
Now when users will logon to ADUC, they can't able to locate OU in ADUC, instead they will look root OU object as unknown object in right hand side pen \ explorer area in active directory
if you have 100s of OU, then you can't \ don't want to do this manually as there is no automation \ software out there to do this task

Again you can't block users on domain root container and allow them specific OU because as soon as you block them at root level, they will simply fail to open ADUC

The best way I can see is to just delegate them on their specific OU with required rights

Mahesh.
0
 

Author Closing Comment

by:thomasm1948
ID: 39966325
Thank you, that worked
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

792 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question