Hi, My environment is a Windows 2003 functional level domain, where I want to delegate a few administration tasks to a group whose members are users that I want to allow to create/modify user accounts etc.. When I go through the wizard it all goes fine, however when I launch mmc as that delegated user and add the AD Users and Computers snap in I'm surprised to see that this delegated user is able to see the whole domain structure, OU's, user information from all the OU's not only the delegated OU. Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's?? Thank you

Hi, even if you do not delegate permissions, by default, all/any Domain users can "read" the AD.Don

Create taskpad for that delegated user. 1. Creating a taskpad and delegating several admin tasks. 2. Create Taskpads for Active Directory Operations. Thanks

If you would like to prevent user to view our OU structure , remove the "authenticated User" from OU security list. However, this action will casuse GPO processing to fail and might cause other issues as well and its not a good practice. Press any key... What the ... Where's any key ? This posting is provided "AS IS" with no warranties or guarantees and confers no rights. About Me ?

Hello, each domain user is able to read within AD all information, modifying is only possible for some settings. To have an own taskpad created see http://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-admin-tasks/ and http://support.microsoft.com/kb/555986 Be aware if the adminpak or RSAT tools are installed on the computer users are able to use them.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hello, each domain user is able to read within AD all information, modifying is only possible for some settings. To have an own taskpad created see http://jorgequestforknowledge.wordpress.com/2006/01/05/creating-a-taskpad-and-delegating-several-admin-tasks/ and http://support.microsoft.com/kb/555986 Be aware if the adminpak or RSAT tools are installed on the computer users are able to use them.Best regards Meinolf Weber MVP, MCP, MCTS Microsoft MVP - Directory Services My Blog: http://msmvps.com/blogs/mweber/ Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

Hi, > Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's?? Yes, its by design. Authenticated Users have Read permission for each object. Domain users group is member of Authenticated Users group. Read permission include List Content, Read all properties, Read permissions sub-permission. So each user in domain can read all object information in the domain. Its not recommended to prohibit this permission. For more information please refer to following MS articles: Active Directory Standard Permissions http://technet.microsoft.com/en-us/library/cc772834(v=WS.10).aspx Default groups http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx Hope this helps! TechNet Subscriber Support If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here. Lawrence TechNet Community Support

Hi, > Is it by design so? or it's possible when delegating to prohibit in a way listing all the OU's?? Yes, its by design. Authenticated Users have Read permission for each object. Domain users group is member of Authenticated Users group. Read permission include List Content, Read all properties, Read permissions sub-permission. So each user in domain can read all object information in the domain. Its not recommended to prohibit this permission. For more information please refer to following MS articles: Active Directory Standard Permissions http://technet.microsoft.com/en-us/library/cc772834(v=WS.10).aspx Default groups http://technet.microsoft.com/en-us/library/cc756898(v=WS.10).aspx Delegate Control of an Organizational Unit http://technet.microsoft.com/en-us/library/cc732524.aspx Hope this helps! TechNet Subscriber Support If you areTechNet Subscription user and have any feedback on our support quality, please send your feedback here. Lawrence TechNet Community Support

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help.Lawrence TechNet Community Support

Hi, I would like to confirm what is the current situation? Have you resolved the problem? If there is anything that we can do for you, please do not hesitate to let us know, and we will be happy to help. Lawrence TechNet Community Support

Hi, As this thread has been quiet for a while, we assume that the issue has been resolved. At this time, we will mark it as Answered as the previous steps should be helpful for many similar scenarios. If the issue still persists and you want to return to this question, please reply this post directly so we will be notified to follow it up. You can also choose to unmark the answer as you wish. In addition, we'd love to hear your feedback about the solution. By sharing your experience you can help other community members facing similar problems. Thanks!Lawrence TechNet Community Support