Solved

Restricting View for AD Delegation

Posted on 2014-04-01
6
234 Views
Last Modified: 2014-04-03
I have delegated rights to our HR Dept. to be able to edit the Organization Info and the Description for each user. Is it possible to restrict the view to only the "Users" OU so they can't see everything else in Active Directory?
0
Comment
Question by:Winsoup
  • 3
  • 2
6 Comments
 
LVL 35

Accepted Solution

by:
Mahesh earned 500 total points
ID: 39970419
Instead of making delegation, enable advanced features view in active directory and go to properties of default users container
There you will find security tab, just go to advanced tab within security tab and place required permissions

This will help you hopefully

Mahesh.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39970487
Wouldn't that give them rights to everything in that OU then? I don't want them to be able to change passwords, login scripts, etc. I only want them to be able to change everything on the Organization Tab and the Description on the general tab.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39971550
In that case you need to use delegate control wizard over domain.com with custom rights

Check below link for more details
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

In above article, you need to select custom task instead of common task to delegate and there you need to specify granular rights

Mahesh.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 53

Expert Comment

by:McKnife
ID: 39971558
By the way, on the security tab there are advanced permissions, the same as the delegation of control wizard would offer and more. Everything can be set there.

By default, users can view other OUs as their own and normally the whole OU structure. If you don't want that, you would again need to modify permissions on those OUs.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39973644
The users had rights to do what I needed. I was just wondering if it was possible to restrict the view. After some research I see that it's probably not a good idea to do this so I'm just going to leave it as is and they will be able to see everything else but not edit it.
0
 
LVL 35

Expert Comment

by:Mahesh
ID: 39974289
You can't simply do whatever you trying to do..

By default every authenticated user (active directory user) has got rights to view complete ADUC tree in the hierarchy
As highlighted earlier by McKnife, you need to restrict permissions on every OU if you wanted to restrict view

Check below thread on EE for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28399833.html

Not sure why there is Average grade assigned to answer and further more why points only to me ?

if you are not satisfied with answer, you can ask more queries in same question
Unless you raised your queries, we never ever come to know what you are looking for

Mahesh.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now