Delegate control in ADUC

Hi,

I have 3 domain admins that I only want to allow them to:

Create users
Reset passwords
Mange group membership
Add computer to domain
See all details really.

I just don't want them to be able to create OU's or move them is this
possible?

yes, that is possible.

to start have a look at:
http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Cyborg" <apollo13@btinternet.com> wrote in message
news:29D1F891-3FE3-4D65-87D9-DC7D8E02896A@microsoft.com...
> Hi,
>
> I have 3 domain admins that I only want to allow them to:
>
> Create users
> Reset passwords
> Mange group membership
> Add computer to domain
> See all details really.
>
> I just don't want them to be able to create OU's or move them is this
> possible?

Hello Cyborg,

Yes, as said in your subject, Delegate control wizard is your friend for
this.

See here about it:
http://technet.microsoft.com/en-us/l.../cc778807.aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I have 3 domain admins that I only want to allow them to:
>
> Create users
> Reset passwords
> Mange group membership
> Add computer to domain
> See all details really.
> I just don't want them to be able to create OU's or move them is this
> possible?
>

Can they still remain in the domain admins group and have this restriction?


"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
news:eSvn0$ROJHA.1960@TK2MSFTNGP04.phx.gbl...
> yes, that is possible.
>
> to start have a look at:
> http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx
>
> --
>
> Cheers,
> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>
> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>
> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
> ------------------------------------------------------------------------------------------
> * How to ask a question --> http://support.microsoft.com/?id=555375
> ------------------------------------------------------------------------------------------
> * This posting is provided "AS IS" with no warranties and confers no
> rights!
> * Always test ANY suggestion in a test environment before implementing!
> ------------------------------------------------------------------------------------------
> #################################################
> #################################################
> ------------------------------------------------------------------------------------------
>
> "Cyborg" <apollo13@btinternet.com> wrote in message
> news:29D1F891-3FE3-4D65-87D9-DC7D8E02896A@microsoft.com...
>> Hi,
>>
>> I have 3 domain admins that I only want to allow them to:
>>
>> Create users
>> Reset passwords
>> Mange group membership
>> Add computer to domain
>> See all details really.
>>
>> I just don't want them to be able to create OU's or move them is this
>> possible?
>

Hello Cyborg,

No, you can not restrict domain admins.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Can they still remain in the domain admins group and have this
> restriction?
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in
> message news:eSvn0$ROJHA.1960@TK2MSFTNGP04.phx.gbl...
>
>> yes, that is possible.
>>
>> to start have a look at:
>> http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
>> #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ---------------------------------------------------------------------
>> ---------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ---------------------------------------------------------------------
>> ---------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before
>> implementing!
>> ---------------------------------------------------------------------
>> ---------------------
>> #################################################
>> #################################################
>> ---------------------------------------------------------------------
>> ---------------------
>> "Cyborg" <apollo13@btinternet.com> wrote in message
>> news:29D1F891-3FE3-4D65-87D9-DC7D8E02896A@microsoft.com...
>>
>>> Hi,
>>>
>>> I have 3 domain admins that I only want to allow them to:
>>>
>>> Create users
>>> Reset passwords
>>> Mange group membership
>>> Add computer to domain
>>> See all details really.
>>> I just don't want them to be able to create OU's or move them is
>>> this possible?
>>>

Hi,

I'm following the wizard but I don't see an option which would stop users
create OU's, moving OU's.


"Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb66c1db8cb0767269b82fa@msnews.microsoft.com...
> Hello Cyborg,
>
> Yes, as said in your subject, Delegate control wizard is your friend for
> this.
>
> See here about it:
> http://technet.microsoft.com/en-us/l.../cc778807.aspx
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and
> confers no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
>> Hi,
>>
>> I have 3 domain admins that I only want to allow them to:
>>
>> Create users
>> Reset passwords
>> Mange group membership
>> Add computer to domain
>> See all details really.
>> I just don't want them to be able to create OU's or move them is this
>> possible?
>>
>
>

Hello Cyborg,

You use the wizard to allow explicit some configuration. Any other option
should be denied, if they are only domain users. Basically any domain user
can only read in AD, nothing more. Test it before activating in a test environment.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hi,
>
> I'm following the wizard but I don't see an option which would stop
> users create OU's, moving OU's.
>
> "Meinolf Weber" <meiweb(nospam)@gmx.de> wrote in message
> news:ff16fb66c1db8cb0767269b82fa@msnews.microsoft.com...
>
>> Hello Cyborg,
>>
>> Yes, as said in your subject, Delegate control wizard is your friend
>> for this.
>>
>> See here about it:
>> http://technet.microsoft.com/en-us/l.../cc778807.aspx
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Hi,
>>>
>>> I have 3 domain admins that I only want to allow them to:
>>>
>>> Create users
>>> Reset passwords
>>> Mange group membership
>>> Add computer to domain
>>> See all details really.
>>> I just don't want them to be able to create OU's or move them is
>>> this
>>> possible?

no of course not! if they only need to do this, WHY would they need to stay
members of domain admins group? that's just weird, isn't it?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Cyborg" <apollo13@btinternet.com> wrote in message
news:FCE891E8-348F-4DEC-9AF7-6B8E854BC94D@microsoft.com...
> Can they still remain in the domain admins group and have this
> restriction?
>
>
> "Jorge de Almeida Pinto [MVP - DS]"
> <SubstituteThisWithMyFullNameSeparatedByDots@gmail.com> wrote in message
> news:eSvn0$ROJHA.1960@TK2MSFTNGP04.phx.gbl...
>> yes, that is possible.
>>
>> to start have a look at:
>> http://blogs.dirteam.com/blogs/jorge...01/05/369.aspx
>>
>> --
>>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>>
>> "Cyborg" <apollo13@btinternet.com> wrote in message
>> news:29D1F891-3FE3-4D65-87D9-DC7D8E02896A@microsoft.com...
>>> Hi,
>>>
>>> I have 3 domain admins that I only want to allow them to:
>>>
>>> Create users
>>> Reset passwords
>>> Mange group membership
>>> Add computer to domain
>>> See all details really.
>>>
>>> I just don't want them to be able to create OU's or move them is this
>>> possible?
>>
>