Note- this was put together and fast published and there may be errors. Check back for updates when I add RSAT info.
Ace here again. Yep, me again. This scenario comes up time to time. Sure, you can use the RSAT tools, but here an old fashioned, truly tried method that works nicely so a delegated OU admin can only see and do what they need to do in their OU.
After you Delegate Permissions in to a limited admin in Active Directory, such as the ability to reset passwords, you may want to create a custom ADUC MMC (console or custom taskpad) for the delegated admin to control the portion of AD (the OU) they are allowed or delegated in.
For Windows 2003 AD – but it will work in 2008 and newer
The last time I set this up for a customer, involved a snap-in for each ‘location’ OU, I allowed to retain the rt-click context, and the tree view available in the custom console (left pane and right pane), but I removed everything else including the file menu buttons and such. So under View, Customize, uncheck everything except the top one that says Console Tree. This way they can’t go up level or click any of the things in there. But they will have the right-click feature.
You can also choose to remove the left hand pane (tree view).
MMC v2 and v3 are the same:
- Start/run/mmc, hit enter
- File, Add-Remove Snap-in, Add ADUC
- Drill down under the domain to the OU you want.
- Right-click on that OU, choose new window from here.
- A new window pops up with the OU in the left pane and the contents in the right pane.
- Close the original ADUC window leaving the new window open that you’ve just created.
- Expand the window to take up the whole console. – This will keep them in this section and they will not be able to go up levels and are ‘stuck’ in this OU.
- Select View/Customize
- Uncheck everything but Console Tree.
- File/Options Choose Console Mode, then select:
User mode: Limited Access single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
- Logon as a test user that was delegated permissions and test it.
If you want to eliminate the ability for the delegated admin to right-click on a user account, uncheck the Console Tree above, then change the console view by right-clicking on the OU, choose New Task View, and choose a vertical or horizontal list, then choose to create a new task, menu command, highlight a user account, choose reset password, or anything else in the right column, choose an icon, and finish.
Copy the .MSC file via a UNC connected to the delegated person’s XP workstation’s \Documents and Settings\username\desktop folder, or if Windows Vista or newer, in the C:\users\username\desktop folder.
Keep in mind, the Active Directory Administration Center, RSAT tools or AdminPak tools, depending on what operating system version the client side is, needs to be installed on the workstation for the ADUC binaries to be available for this task pad to work.
For Windows 2003/Windows XP using the AdminPak tools just for the ADUC snap-in, nothing else:
Copy over the following three DLLS from the 2003 or newer DC you are on, to their client’s system32 folder. All three of these are needed on a 2003 DC or newer, or the ADUC won’t open. However, on an XP or newer machine, you only need two. If I were to allow users to change passwords and create a custom MMC for just that OU, then all I need is adprop.dll and dsadmin.dll, otherwise you need all three.
- adprop.dll (for object properties)
- dsadmin.dll (ability to alter object properties)
- dsprop.dll (for object properties related to directory services)
Then you can use PSEXEC (one of the PSTools available free at Microsoft) to remotely register the DLLs listed below on their workstation using the regsrv32.exe utility.
Download PsExec v1.98, by By Mark Russinovich, Published: April 28, 2009
- psexec \\machinename regsvr32 adprop.dll
- psexec \\machinename regsvr32 dsadmin.dll
- psexec \\machinename regsvr32 dsprop.dll
Here are some screenshots at the following link:
Create Taskpads for Active Directory Operations:
For AD on Windows 2008 and newer:
You can use the ADAC & RSAT Tools, or you can use the above method.
Note: ADAC does not have a feature to break down specific tools to create a custom console as shown above.
For the Active Directory Administration Center and the RSAT tools:
For the Related links below for the new AD Admin Center. However, the Admin Center does not have the feature to break down just specific tools to create a custom console as shown above.
Active Directory Administration Center (ADAC):
Active Directory Administrative Center: Getting Started
Active Directory Administrative Center — the New AD interface
Learn New Features in Active Directory Administrative Center
Remote Server Administration Tools (RSAT) for Windows operating systems (Discusses how to install it for all versions of Windows)
Remote Server Administration Tools for Windows 10
Customizing – Installing Remote Server Administration Tools (RSAT) for Windows 7
Remotely managing your Server Core using RSAT
I hope this helps!
Last updated – 2/2006, updated 9/20/2016
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.