Re: AD account admin delegation and moving all user accounts to an OU

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Sat, 05 Aug 2006 15:25:47 -0400

If you allow someone to create an account natively they have full control over the objects. If you don't want them to have that, use a provisioning process of some sort.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

Ned wrote:

Hello

I want to delegate the adding and removal of user accounts to a
secretary while restricting everything else including access to
Exchange attributes in AD and creation of mailboxes. I read that and OU
should be created and permissions delegated there. Can I move all my
users into an OU without causing problems? Can the delegation be done
this way?

Thanks
Ned Hart

Follow-Ups:
- Re: AD account admin delegation and moving all user accounts to an OU
  - From: Ned

References:
- AD account admin delegation and moving all user accounts to an OU
  - From: Ned

Prev by Date: Re: VPN Clients - Expiring Passwords
Next by Date: Re: Restrict windows share access by IP address
Previous by thread: AD account admin delegation and moving all user accounts to an OU
Next by thread: Re: AD account admin delegation and moving all user accounts to an OU
Index(es):
- Date
- Thread

Relevant Pages

Re: Delegating unlock to group of users
... Joe Richards Microsoft MVP Windows Server Directory Services ... MNunes wrote: ... I'am trying to delegate the unlock user property to a group of users. ... So what I'am trying to do is to delegate the "lockoutTime" attribute explicitly to the users that is going to be unlocked. ...
(microsoft.public.windows.server.active_directory)
Re: Delegating Administration to a user.
... Again, get a DSACLS dump, there are so many ways this can be screwed up we could be guessing at things to check for a week. ... Joe Richards Microsoft MVP Windows Server Directory Services ... noticed that all the fields are greyed out not just the account boxes where lockout it located at. ... I did the delegate wizard in users and computers and the user can create the ...
(microsoft.public.windows.server.active_directory)
Re: Delegation tools, any good (free) ones?
... Joe Richards Microsoft MVP Windows Server Directory Services ... Author of O'Reilly Active Directory Third Edition ... I've looked at the delegate wizard in ADU&C, ...
(microsoft.public.windows.server.active_directory)
Re: Delegation to create user accounts only and not disable or delete
... Choose the "create custom task to delegate" click next ... select the "This folder, existing objects in this folder, and creation of ... Administration has found out that this teacher has been disabling user ... delete or manage user accounts. ...
(microsoft.public.windows.server.active_directory)
Re: Delegating control of the GAL to our HR
... > I need to be able to delegate control of the Global Address book to ... RUS updates the address lists from properties of the user accounts in AD. So ... Please direct all replies ONLY to the Microsoft public newsgroups ...
(microsoft.public.exchange2000.admin)