Sign in with
Sign up | Sign in
Your question

Access to AD by others / Delegating

Last response: in Windows 2000/NT
Share
March 24, 2005 12:34:55 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm sure this is very simple... I hope someone could steer me in the right
direction...

I'm just now getting to the point where I'd like to start delegating control
of parts of AD. For example, I'd like to maintain a large Contacts library
in AD. And for our 4 locations, I'd like to give user control to someone
local.

I THINK that it looks simple enough to do this by either using the "Delegate
Control" feature on certain OU's, and / or setting the "managed by" fields
in the properties of OU's.

My question is, what is the best way for these users to get to AD. Do I
really have to have them log in to the server? Currently when I try to log
in with another user name (that has been delegated control of a certain OU)
via remote desktop, the server says that "local policy of the system does
not allow you to logon interactively". I'm sure this is just a permissions
thing easy enough to figure out, but I'd prefer to not have these users in
the server.

Is there not some sort of something I can load onto their XP machines that
give them only what they need from AD?

Thanks for any advise!
Tim

More about : access delegating

Anonymous
March 24, 2005 12:34:56 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Tim" <tmiller@deppmann.com> wrote in message
news:eInBn6HMFHA.732@TK2MSFTNGP12.phx.gbl...
> I'm sure this is very simple... I hope someone could steer me in the right
> direction...

> My question is, what is the best way for these users to get to AD. Do I
> really have to have them log in to the server? Currently when I try to
log
> in with another user name (that has been delegated control of a certain
OU)
> via remote desktop, the server says that "local policy of the system does
> not allow you to logon interactively". I'm sure this is just a
permissions
> thing easy enough to figure out, but I'd prefer to not have these users in
> the server.

There are essentially three strategies to "get to AD":

1) Remote Desktop->Terminal Services (or similar)

2) Login locally (physically at the keyboard)

3) Run the AD Users/Computers from a workstation

> Is there not some sort of something I can load onto their XP machines that
> give them only what they need from AD?

For #3, you run the AdminPak.MSI on the workstation to
install the Admin tools.
!