Delegate Active Directory Users and Computers (ADUC), then create a custom ADUC MMC

Delegate Active Directory Users and Computers (ADUC), then create a custom ADUC MMC



By Ace Fekay
Originally created - 2/2006
Published 8/4/2012


Preface


This shows you how to create a custom ADUC MMC with a customized taskpad for a limited admin acccount after you delegate permissions in Active Directory for that account, such as providing the account the ability to reset passwords in a specific OU. With this method, you are only providing a view just for the OU they are delegated permissions, no other part of the ADUC console.


 


For WIndows 2003 AD:


 


The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the rt-click feature.
 
You can also choose to remove the left hand pane (tree view).


 


Create the MMC (and retaining the right-click context feature):


(MMC v2 and v3 are the same)


Start/run/mmc, click enter
File, Add-Remove Snap-in, Add ADUC
Drill down under the domain to the OU you want.
Rt-click on that OU, choose new window from here.
A new window pops up with the OU in the left pane and the contents in the right pane.
Close the original ADUC window leaving the new window open that you’ve just created.
Expand the window to take up the whole console.
Now they will not be able to go up levels and are ‘stuck’ in this OU.
View/Customize
    Uncheck everything but Console Tree.
File/Options Choose Console Mode:
    User mode: Limited Accessm single window
    Check: Do not Save Changes to this console
    Uncheck: Allow the user to customize views


Save it. Logon as a test user delegated whatever perms to do on those users and test it.


If you want to eliminate the ability to right-click on a user account:


Unheck the Console Tree above and change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset pasword, or anything else in the right column, choose an icon, and finish.


 


Copy the MSC file to the admin’s workstation:


Let’s now copy the MSC file we just created above via a UNC connected to the delegated person’s workstation’s Doc and Setttings\username\desktop folder.


Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.


 


To install just the necessary snap-in DLLs for the ADUC console:



For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:


Copy over the following three DLLS from a Windows 2003 DC to their workstation’s system32 folder. All three of these are needed on a 2003 DC or the ADUC won’t open. However, on an XP machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.


adprop.dll (for object properties)
dsadmin.dll (ability to alter object properties)
dsprop.dll (for object properties related to directory services)


Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.


Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx


psexec \\machinename regsvr32 adprop.dll
psexec \\machinename regsvr32 dsadmin.dll
psexec \\machinename regsvr32 dsprop.dll


Here are some screenshots:


Create Taskpads for Active Directory Operations:
http://www.petri.co.il/create_taskpads_for_ad_operations.htm



===============================================
For AD on Windows 2008 and newer:



You can use the method above, or you can use the ADAC & RSAT Tools.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.



Using ADAC (Active Directory Administration Center) and the RSAT tools:


For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.


Active Directory Administrative Center: Getting Started
http://technet.microsoft.com/en-us/library/dd560651(WS.10).aspx


Active Directory Administrative Center — a New AD interface for Win7 and Win 2008
http://techibee.com/active-directory/active-directory-administrative-center-a-new-ad-interface-for-win7-and-win-2008/290


Learn New Features in Active Directory Administrative Center
http://www.enterprisenetworkingplanet.com/windows/article.php/3887136/Learn-New-Features-in-Active-Directory-Administrative-Center.htm


 


 


Corrections, suggestions, & comments are welcomed.


Ace Fekay