Solved

Windwos 2003 Delegate Control

Posted on 2014-03-28
3
318 Views
Last Modified: 2014-03-31
Hi,

Is it possible to hide the OUs from a group that I have delegated control to only 1 OU.  So far the user can see all OUs but they are restricted from making changes
0
Comment
Question by:thomasm1948
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39963168
Create a custom console or taskpad for them and make them use that rather than ADUC.

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39963627
What you are trying to do is simply not required \ possible because access based enumeration feature is not enabled \ available with ADUC as far as I know.

Every domain user is authenticated user and if he logon to management workstation \ DC, he can view all AD OUs \ containers and all underneath objects, this is by default right granted by AD.
But it not means that every user get any write permissions in AD
The standard users get only read rights through out entire domain
That is why you need to delegate OU control to your OU admins in order to get rights to modify \ make changes

However if you want, You can restrict delegated users from viewing unnecessary OUs. You need to do that per OU basis and from OU properties \ security properties
All you need to do is to provide deny read permissions to delegated users \ groups on respective OU
Now when users will logon to ADUC, they can't able to locate OU in ADUC, instead they will look root OU object as unknown object in right hand side pen \ explorer area in active directory
if you have 100s of OU, then you can't \ don't want to do this manually as there is no automation \ software out there to do this task

Again you can't block users on domain root container and allow them specific OU because as soon as you block them at root level, they will simply fail to open ADUC

The best way I can see is to just delegate them on their specific OU with required rights

Mahesh.
0
 

Author Closing Comment

by:thomasm1948
ID: 39966325
Thank you, that worked
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question