Server 2003 Active Directory

[RucHee]

Hey guys, I recently put my Domain Active Directory tool on my Citrix server so someone who is off-site can edit (create) users in a specific group. I would like them to be able to edit that group, but not have access to the entire domain. I don't want to come to work one day and find that they deleted every user on our domain, so I wish to limit her ability as an Active Directory Admin.

Any ideas?

Thanks!

 

[tommytran]

Management of objects listed in Active Directory can be delegated to other administrators. Administrative authority cannot be delegated for objects smaller than the Organizational Unit (OU). There are two ways to delegate object control

1 - Find the object in the Active Directory Users and Computers tool, right click on the object, and select "Delegate Control". The Delegation of Control Wizard will start.
2 - Perform the same action as is done when configuring permissions by using the "View" menu in the Active Directory Users and Computers tool, and click on "Advanced Features".

 

[RebateMonger]

Yup. Read up on Active Directory Delegation. This can also be done at the OU level, so you don't have to give somebody rights in areas of the Domain that they don't need authority to change.

 

[RucHee]

Thanks for the replies. I was able to find the delegate control area, and i filled out the fields, etc, but when i login as that user, it still allows me to access the rest of the domain. I've delegated a certain group to a certain section, and limited access, but it still lets them see everything / edit everything. Any ideas? Thanks.

 

[RebateMonger]

Microsoft: Best Practices for Delegating Active Directory Administration

What kind of Users are those? If they aren't Domain Administrators, they aren't going to be able to modify any AD properties for the Domain unless you've delegated rights to them.