AD account admin delegation and moving all user accounts to an OU

[Ned]

Hello

I want to delegate the adding and removal of user accounts to a
secretary while restricting everything else including access to
Exchange attributes in AD and creation of mailboxes. I read that and OU
should be created and permissions delegated there. Can I move all my
users into an OU without causing problems? Can the delegation be done
this way?


Thanks
Ned Hart

 

[Joe Richards [MVP]]

If you allow someone to create an account natively they have full
control over the objects. If you don't want them to have that, use a
provisioning process of some sort.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Ned]

Thanks Joe. What do you mean by natively and by provisioning process?
Do you mean I should move the accounts into an OU?

thanks

 

[Joe Richards [MVP]]

Natively means someone can do something directly in AD via group
membership or delegation.

Provisioning means that they submit a request to some other product via
a tool or webpage and that other product verifies what is being
requested and then does it on behalf of the person who needs the work
done. This is done by custom stuff you write or third party tools you
can purchase.



--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm