Access to AD by others / Delegating

T

Tim

I'm sure this is very simple... I hope someone could steer me in the right
direction...

I'm just now getting to the point where I'd like to start delegating control
of parts of AD. For example, I'd like to maintain a large Contacts library
in AD. And for our 4 locations, I'd like to give user control to someone
local.

I THINK that it looks simple enough to do this by either using the "Delegate
Control" feature on certain OU's, and / or setting the "managed by" fields
in the properties of OU's.

My question is, what is the best way for these users to get to AD. Do I
really have to have them log in to the server? Currently when I try to log
in with another user name (that has been delegated control of a certain OU)
via remote desktop, the server says that "local policy of the system does
not allow you to logon interactively". I'm sure this is just a permissions
thing easy enough to figure out, but I'd prefer to not have these users in
the server.

Is there not some sort of something I can load onto their XP machines that
give them only what they need from AD?

Thanks for any advise!
Tim
 
H

Herb Martin

Tim said:
I'm sure this is very simple... I hope someone could steer me in the right
direction...
Click to expand...
My question is, what is the best way for these users to get to AD. Do I
really have to have them log in to the server? Currently when I try to log
in with another user name (that has been delegated control of a certain OU)
via remote desktop, the server says that "local policy of the system does
not allow you to logon interactively". I'm sure this is just a permissions
thing easy enough to figure out, but I'd prefer to not have these users in
the server.
Click to expand...

There are essentially three strategies to "get to AD":

1) Remote Desktop->Terminal Services (or similar)

2) Login locally (physically at the keyboard)

3) Run the AD Users/Computers from a workstation
Is there not some sort of something I can load onto their XP machines that
give them only what they need from AD?
Click to expand...

For #3, you run the AdminPak.MSI on the workstation to
install the Admin tools.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Delegating Control in AD 2
Delegating Administration 1
Delegating Administrative rights to OU's 5
delegating ADD computer rights to helpdesk 1
Delegating Control 1
Delegating the right to force AD Site replication 6
AD Delegation 7
Delegating Control... 7

Top