Restricting View for AD Delegation

I have delegated rights to our HR Dept. to be able to edit the Organization Info and the Description for each user. Is it possible to restrict the view to only the "Users" OU so they can't see everything else in Active Directory?
LVL 3
WinsoupAsked:
Who is Participating?
 
MaheshConnect With a Mentor ArchitectCommented:
Instead of making delegation, enable advanced features view in active directory and go to properties of default users container
There you will find security tab, just go to advanced tab within security tab and place required permissions

This will help you hopefully

Mahesh.
0
 
WinsoupAuthor Commented:
Wouldn't that give them rights to everything in that OU then? I don't want them to be able to change passwords, login scripts, etc. I only want them to be able to change everything on the Organization Tab and the Description on the general tab.
0
 
MaheshArchitectCommented:
In that case you need to use delegate control wizard over domain.com with custom rights

Check below link for more details
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

In above article, you need to select custom task instead of common task to delegate and there you need to specify granular rights

Mahesh.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
McKnifeCommented:
By the way, on the security tab there are advanced permissions, the same as the delegation of control wizard would offer and more. Everything can be set there.

By default, users can view other OUs as their own and normally the whole OU structure. If you don't want that, you would again need to modify permissions on those OUs.
0
 
WinsoupAuthor Commented:
The users had rights to do what I needed. I was just wondering if it was possible to restrict the view. After some research I see that it's probably not a good idea to do this so I'm just going to leave it as is and they will be able to see everything else but not edit it.
0
 
MaheshArchitectCommented:
You can't simply do whatever you trying to do..

By default every authenticated user (active directory user) has got rights to view complete ADUC tree in the hierarchy
As highlighted earlier by McKnife, you need to restrict permissions on every OU if you wanted to restrict view

Check below thread on EE for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28399833.html

Not sure why there is Average grade assigned to answer and further more why points only to me ?

if you are not satisfied with answer, you can ask more queries in same question
Unless you raised your queries, we never ever come to know what you are looking for

Mahesh.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.