User Management Question

[Len A]

Is there a way I can make the users and comptuers manager (MMC snap in), or
better yet just an assigend sub-container, available to users on thier
desktops so that some can edit AD users without logging into the server?

I have users who I only want ot be able to manage users, nothing else.

 

[Herb Martin]

Is there a way I can make the users and comptuers manager (MMC snap in), or
better yet just an assigend sub-container, available to users on thier
desktops so that some can edit AD users without logging into the server?

You are always going to need to AUTHENTICATED them
(which is likely what you mean by "logging into the server).

You would have to give them "delegated permissions" to manage
those specific OUs which is possible (rather than making them
domain admins.)

I have users who I only want ot be able to manage users, nothing else.

That is generally possible by making someone an Account Operator
or (better) through SPECIFIC delegations that restricts it to specific
OUs and to specific management tasks (managing users etc.)

Take a look at what you see when you open AD Users and Computers,
right click, and choose DELEGATION of Control Wizard (put Account
Operators in the first dialog just to get past it so you can see how it
works....)

 

[Len A]

That was perfect for user control- thanks!!

I was hoping I could just give the users and computers MMC Snap in to a user
in a particular OU- they authenticate when they log on to the local machine.
I don't want to have to show them how to term services in to the server if I
don't have to!

I'd like to just put an icon on thier desktop....

 

[Herb Martin]

That was perfect for user control- thanks!!

I was hoping I could just give the users and computers MMC Snap in to a user
in a particular OU- they authenticate when they log on to the local

machine.

Correct. To logon to the their own machine they first authenticate
against the domain (when using a domain account.)

There are "Task Pads" -- I don't use these much, but you can
ask (perhaps in a new message) here, or just Google for that.

Task Pads allow you to focus the MMC Snap-ins on a particular
task or area and are likely pretty much what you are seeking.

I don't want to have to show them how to term services in to the server if I
don't have to!

MMCs work across the network just fine -- but you will
likely need to install AdminPak.msi (or at least some portions
of it) onto their computers because it has the server management
MMC components.

(It's on the DCs in %systemroot%\system32)

I'd like to just put an icon on thier desktop....

There are various ways to do that. (script, SMS, etc.)

 

[Len A]

Do you work for Microsoft? You are the most helpful person I have found in
this endeavor! A thousand thanks!

 

[Herb Martin]

Do you work for Microsoft?

No, but I used to work for Microsoft before I started
my own company.

You are the most helpful person I have found in
this endeavor! A thousand thanks!

You are quite welcome. And thank you for the kind
words.

Let us know if you need more help.