[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Restricting View for AD Delegation

Posted on 2014-04-01
6
Medium Priority
?
262 Views
Last Modified: 2014-04-03
I have delegated rights to our HR Dept. to be able to edit the Organization Info and the Description for each user. Is it possible to restrict the view to only the "Users" OU so they can't see everything else in Active Directory?
0
Comment
Question by:Winsoup
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 38

Accepted Solution

by:
Mahesh earned 1000 total points
ID: 39970419
Instead of making delegation, enable advanced features view in active directory and go to properties of default users container
There you will find security tab, just go to advanced tab within security tab and place required permissions

This will help you hopefully

Mahesh.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39970487
Wouldn't that give them rights to everything in that OU then? I don't want them to be able to change passwords, login scripts, etc. I only want them to be able to change everything on the Organization Tab and the Description on the general tab.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39971550
In that case you need to use delegate control wizard over domain.com with custom rights

Check below link for more details
http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/

In above article, you need to select custom task instead of common task to delegate and there you need to specify granular rights

Mahesh.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 56

Expert Comment

by:McKnife
ID: 39971558
By the way, on the security tab there are advanced permissions, the same as the delegation of control wizard would offer and more. Everything can be set there.

By default, users can view other OUs as their own and normally the whole OU structure. If you don't want that, you would again need to modify permissions on those OUs.
0
 
LVL 3

Author Comment

by:Winsoup
ID: 39973644
The users had rights to do what I needed. I was just wondering if it was possible to restrict the view. After some research I see that it's probably not a good idea to do this so I'm just going to leave it as is and they will be able to see everything else but not edit it.
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 39974289
You can't simply do whatever you trying to do..

By default every authenticated user (active directory user) has got rights to view complete ADUC tree in the hierarchy
As highlighted earlier by McKnife, you need to restrict permissions on every OU if you wanted to restrict view

Check below thread on EE for more information
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/2003_Server/Q_28399833.html

Not sure why there is Average grade assigned to answer and further more why points only to me ?

if you are not satisfied with answer, you can ask more queries in same question
Unless you raised your queries, we never ever come to know what you are looking for

Mahesh.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Let's recap what we learned from yesterday's Skyport Systems webinar.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question