Solved

Restricting View for AD Delegation

Posted on 2014-04-01
6
233 Views
Last Modified: 2014-04-03
I have delegated rights to our HR Dept. to be able to edit the Organization Info and the Description for each user. Is it possible to restrict the view to only the "Users" OU so they can't see everything else in Active Directory?
0
Comment
Question by:Winsoup
  • 3
  • 2
6 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39970419
Instead of making delegation, enable advanced features view in active directory and go to properties of default users container
There you will find security tab, just go to advanced tab within security tab and place required permissions

This will help you hopefully

Mahesh.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39970487
Wouldn't that give them rights to everything in that OU then? I don't want them to be able to change passwords, login scripts, etc. I only want them to be able to change everything on the Organization Tab and the Description on the general tab.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39971550
In that case you need to use delegate control wizard over domain.com with custom rights

Check below link for more details
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

In above article, you need to select custom task instead of common task to delegate and there you need to specify granular rights

Mahesh.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39971558
By the way, on the security tab there are advanced permissions, the same as the delegation of control wizard would offer and more. Everything can be set there.

By default, users can view other OUs as their own and normally the whole OU structure. If you don't want that, you would again need to modify permissions on those OUs.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39973644
The users had rights to do what I needed. I was just wondering if it was possible to restrict the view. After some research I see that it's probably not a good idea to do this so I'm just going to leave it as is and they will be able to see everything else but not edit it.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39974289
You can't simply do whatever you trying to do..

By default every authenticated user (active directory user) has got rights to view complete ADUC tree in the hierarchy
As highlighted earlier by McKnife, you need to restrict permissions on every OU if you wanted to restrict view

Check below thread on EE for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28399833.html

Not sure why there is Average grade assigned to answer and further more why points only to me ?

if you are not satisfied with answer, you can ask more queries in same question
Unless you raised your queries, we never ever come to know what you are looking for

Mahesh.
0

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now