Solved

Windwos 2003 Delegate Control

Posted on 2014-03-28
3
307 Views
Last Modified: 2014-03-31
Hi,

Is it possible to hide the OUs from a group that I have delegated control to only 1 OU.  So far the user can see all OUs but they are restricted from making changes
0
Comment
Question by:thomasm1948
3 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 39963168
Create a custom console or taskpad for them and make them use that rather than ADUC.

http://www.petri.co.il/create_taskpads_for_ad_operations.htm
0
 
LVL 37

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39963627
What you are trying to do is simply not required \ possible because access based enumeration feature is not enabled \ available with ADUC as far as I know.

Every domain user is authenticated user and if he logon to management workstation \ DC, he can view all AD OUs \ containers and all underneath objects, this is by default right granted by AD.
But it not means that every user get any write permissions in AD
The standard users get only read rights through out entire domain
That is why you need to delegate OU control to your OU admins in order to get rights to modify \ make changes

However if you want, You can restrict delegated users from viewing unnecessary OUs. You need to do that per OU basis and from OU properties \ security properties
All you need to do is to provide deny read permissions to delegated users \ groups on respective OU
Now when users will logon to ADUC, they can't able to locate OU in ADUC, instead they will look root OU object as unknown object in right hand side pen \ explorer area in active directory
if you have 100s of OU, then you can't \ don't want to do this manually as there is no automation \ software out there to do this task

Again you can't block users on domain root container and allow them specific OU because as soon as you block them at root level, they will simply fail to open ADUC

The best way I can see is to just delegate them on their specific OU with required rights

Mahesh.
0
 

Author Closing Comment

by:thomasm1948
ID: 39966325
Thank you, that worked
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
PowerShell script to display all email addresses where the department = X 3 27
DNS forwarders "unable to resolve" 1 54
NTP time source for DC 3 41
Unable to hit site 2 23
In-place Upgrading Dirsync to Azure AD Connect
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

679 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question