No announcement yet.

Restricting to Particular OU

  • Filter
  • Time
  • Show
Clear All
new posts

  • Restricting to Particular OU

    Hi every1 there...

    Ihave single domain active directory setup, For branch office ihave OU which contains user accounts and computers. System Admin who has rights over this OU to manage user accounts and client machines. As ihave seen ican restrict the System Admin from accessing snap-in Administrative tools like DNS, Active Directory Sites and Services etc through Group Policy. But my concern is when he is accessing Active Directory users and computers to manage his OU, he is able to view other OU's objects or Members in group. How do restrict him to ONLY to his OU.

    Thanx in advance


  • #2
    Re: Restricting to Particular OU

    By default, all users has readonly access to Active Directory Users and Computers. You can restrict his access by delegating access particular to that OU. Select the OU and right click and select 'Delegate'.


    • #3
      Re: Restricting to Particular OU

      Could I add to this question:

      1. We have delegated authority to a non-trusted user to modify group membership in specific AD groups related to her project. This has been done and an MMC has been created which only shows the relevant OU.
      2. We have one more requirement: there is a specific, limited group of users from which she should be able to choose members for her groups. When she is modifying her group memberships is ther any way to restrict her MMC to only see a particular OU? That is so she can only add members we allow her to add and not just anyone with an AD account.
      3. When wearing her normal user hat she will need to be see all users in the Global Address list.

      All suggestions are welcome!