Hi,
My environment is a Windows 2003 functional level domain, where I want to delegate a few administration tasks to a group whose members are users that I want to allow to create/modify user accounts etc..
When I go through the wizard it all goes fine, however when I launch mmc as that delegated user and add the AD Users and Computers snap in I'm surprised to see that this delegated user is able to see the whole domain structure, OU's, user information from
all the OU's not only the delegated OU.
Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's??

Thank you

There is an amazing pack of free network admin tools. click here to download it

Hi, even if you do not delegate permissions, by default, all/any Domain users can "read" the AD.Don

Need to support users over the internet? click here try our remote control online beta

Create taskpad for that delegated user.

1. Creating
a taskpad and delegating several admin tasks.

2. Create
Taskpads for Active Directory Operations.



Thanks

Need to support users over the internet? click here try our remote control online beta

If you would like to prevent user to view our OU structure , remove the "authenticated
User" from OU security list.
However,
this action will casuse GPO processing to fail and might cause other issues as well and its not a good practice.



Press any key... What the ... Where's any key ?


This posting is provided "AS IS" with no warranties or guarantees and confers no rights.


About Me ?

Need to support users over the internet? click here try our remote control online beta

Hello,
each domain user is able to read within AD all information, modifying is only possible for some settings.
To have an own taskpad created see

http://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-admin-tasks/
and

http://support.microsoft.com/kb/555986

Be aware if the adminpak or RSAT tools are installed on the computer users are able to use them.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/


Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

There is an amazing pack of free network admin tools. click here to download it

Hello,
each domain user is able to read within AD all information, modifying is only possible for some settings.
To have an own taskpad created see

http://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-admin-tasks/
and

http://support.microsoft.com/kb/555986

Be aware if the adminpak or RSAT tools are installed on the computer users are able to use them.Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog:
http://msmvps.com/blogs/mweber/


Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

There is an amazing pack of free network admin tools. click here to download it

Hi,

> Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's??
Yes, its by design. Authenticated Users have Read permission for each object. Domain users group is member of Authenticated Users group.
Read permission include List Content, Read all properties, Read permissions sub-permission. So each user in domain can read all object information in the domain.
Its not recommended to prohibit this permission.
For more information please refer to following MS articles:
Active Directory Standard Permissions

http://technet.microsoft.com/en-us/library/cc772834(v=WS.10).aspx

Default groups

http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx

Delegate Control of an Organizational Unit

http://technet.microsoft.com/en-us/library/cc732524.aspx

Hope this helps!
TechNet Subscriber Support
If you areTechNet
Subscription user and have any feedback on our support quality, please send your feedback
here.
Lawrence
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,

> Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's??
Yes, its by design. Authenticated Users have Read permission for each object. Domain users group is member of Authenticated Users group.
Read permission include List Content, Read all properties, Read permissions sub-permission. So each user in domain can read all object information in the domain.
Its not recommended to prohibit this permission.
For more information please refer to following MS articles:
Active Directory Standard Permissions

http://technet.microsoft.com/en-us/library/cc772834(v=WS.10).aspx

Default groups

http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx

Delegate Control of an Organizational Unit

http://technet.microsoft.com/en-us/library/cc732524.aspx

Hope this helps!
TechNet Subscriber Support
If you areTechNet
Subscription user and have any feedback on our support quality, please send your feedback
here.
Lawrence
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence
TechNet Community Support

There is an amazing pack of free network admin tools. click here to download it

Hi,
I would like to confirm what is the current situation? Have you resolved the problem?
If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.
Lawrence
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta

Hi,
As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark
it as Answered as the previous steps should be helpful for many similar scenarios.
If the issue still persists and you want to return to this question, please reply this post directly so we will be
notified to follow it up. You can also choose to unmark the answer as you wish.
In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other
community members facing similar problems.
Thanks!Lawrence
TechNet Community Support

Need to support users over the internet? click here try our remote control online beta