Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Delegating Control.

Status
Not open for further replies.
stvleaze

stvleaze

ISP
Mar 24, 2006
45
0
0
US
Hello all. I am searching for ways to deligate control to certain dept. heads. I want to have a snap in on their xp machines that shows them just their OU. Is this possible?

I installed ADMINPAK.MSI but that showed way too much. It shows the entire AD structure. That brings me to another question. I tested installing ADMINPAK.MSI on a simply pc with a simple domain user. BAM I could see the entire AD structure.. All OU's and all users.. everything... Is this normal? I would rather keep this stuff hidden..

Anyways, if anyone has any suggestions I would appriciate them. Thanks!!

Daniel
 
Sort by date Sort by votes
You can create a new mmc snap in that shows only the appropriate OUs, you may need to create more than one if each department head has a different OU.

Make sure to go into options under the file menu and change it to user mode rather than author mode.

It might also help if you right click the appropriate OU and select "New Window From Here" then you can close the main window and they won't have access to anything higher in the tree. Save it and deploy it to their stations.

David I. Taylor
A+, Network+, MCP Windows XP
 
Upvote 0 Downvote
Thanks. I got that down. But that still doesn't keep someone it savy from installing ADMINPAK.MSI and seeing the entire AD layout.

What keeps kids from doing this at colleges that use AD.
Im sure they dont want the entire school AD scheme public. There has gotta be a way to hide that even if someone downloads and installs ADMINPAK.MSI.
 
Upvote 0 Downvote
The first way would be to simply not allow anyone other than the IT department to have power user or administrative rights to their local machines. This will prevent them from installing anything.

The next would be to put a GPO in place with a software restriction rule that prevents any of the mmc snap ins from ADMINPAK from loading... I'm not really certain if this will prevent the use of the custom consoles.

I'm sure there are others, perhaps far better than my suggestions.

David I. Taylor
A+, Network+, MCP Windows XP
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Teo En Ming
  • Locked
  • Question
Actions taken during Disaster Recovery for client whose IBM Megaraid controller has failed
Replies
2
Views
117
fightaccording
fightaccording
shmoes
  • Locked
  • Question
Delegating file admin permission
Replies
3
Views
62
SamBones
SamBones
fredmartinmaine
  • Locked
  • Question
Domain Controller without DNS Server
Replies
4
Views
162
fredmartinmaine
fredmartinmaine
mkrausnick
  • Locked
  • Question
Can't write to folder even though Active Directory effective permissions shows full control
Replies
1
Views
62
mkrausnick
mkrausnick
smokey7244521
  • Locked
  • Question
Server 2008R2 RAID controller issue
Replies
0
Views
27
smokey7244521
smokey7244521

Part and Inventory Search

Sponsor

Back
Top