No announcement yet.

Delgate can see other OUs and objects

  • Filter
  • Time
  • Show
Clear All
new posts

  • Delgate can see other OUs and objects

    I did a few searches and couldn't find any information on this particular issue, which tells me I'm either missing something really easy or it was designed this way. here's the scoop:

    I've recently delegated control to a particular OU for one user. The user has basic permissions to create new users, add them to groups and reset passwords. Just simple user admin tasks that I don't want to do anymore.

    The problem I'm having is that if this user goes to add a user to a group and he uses the advanced search option he is able to see all objects in OUs at the same level and higher than the OU he's delegated to administer.

    Is there a way to limit him to only searching within the OU that he's delegated? am i missing something pretty straight forward? Any help is greatly appreciated.


  • #2
    Re: Delgate can see other OUs and objects

    Create a custom MMC showing only his OU
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    IT Trainer / Consultant
    Ossian Ltd

    ** Remember to give credit where credit is due and leave reputation points where appropriate **


    • #3
      Re: Delgate can see other OUs and objects

      That's what we've done. But even in the custom MMC you can search for objects and see things in other OUs. He can only see his OU in the MMC but being able to view other OUs when doing a search is a bit of a problem. I thought AD would just be smart enough to default the search location to that OU but no such luck. The default location when searching for objects is whole domain instead of that particular OU.

      Thanks for the quick reply.