?
Solved

Restricting View for AD Delegation

Posted on 2014-04-01
6
Medium Priority
?
257 Views
Last Modified: 2014-04-03
I have delegated rights to our HR Dept. to be able to edit the Organization Info and the Description for each user. Is it possible to restrict the view to only the "Users" OU so they can't see everything else in Active Directory?
0
Comment
Question by:Winsoup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 37

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39970419
Instead of making delegation, enable advanced features view in active directory and go to properties of default users container
There you will find security tab, just go to advanced tab within security tab and place required permissions

This will help you hopefully

Mahesh.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39970487
Wouldn't that give them rights to everything in that OU then? I don't want them to be able to change passwords, login scripts, etc. I only want them to be able to change everything on the Organization Tab and the Description on the general tab.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39971550
In that case you need to use delegate control wizard over domain.com with custom rights

Check below link for more details
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

In above article, you need to select custom task instead of common task to delegate and there you need to specify granular rights

Mahesh.
0
Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 56

Expert Comment

by:McKnife
ID: 39971558
By the way, on the security tab there are advanced permissions, the same as the delegation of control wizard would offer and more. Everything can be set there.

By default, users can view other OUs as their own and normally the whole OU structure. If you don't want that, you would again need to modify permissions on those OUs.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39973644
The users had rights to do what I needed. I was just wondering if it was possible to restrict the view. After some research I see that it's probably not a good idea to do this so I'm just going to leave it as is and they will be able to see everything else but not edit it.
0
 
LVL 37

Expert Comment

by:Mahesh
ID: 39974289
You can't simply do whatever you trying to do..

By default every authenticated user (active directory user) has got rights to view complete ADUC tree in the hierarchy
As highlighted earlier by McKnife, you need to restrict permissions on every OU if you wanted to restrict view

Check below thread on EE for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28399833.html

Not sure why there is Average grade assigned to answer and further more why points only to me ?

if you are not satisfied with answer, you can ask more queries in same question
Unless you raised your queries, we never ever come to know what you are looking for

Mahesh.
0

Featured Post

Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses
Course of the Month13 days, 11 hours left to enroll

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question