Hide non-delegated objects in AD...

[thatguy]

Hello--

We have a terminal server hosting applications for several clients. We're organizing things by putting each client's users into their own OU. One of these clients has reqested control over their OU and the users/groups in there. I understand the whole delegation thing and can give him control over his OU, but I would like to hide every other object that he does not have control over (the Domain Controllers, Computers, Builtin folders, other client OUs, etc). Of course he doesn't have permission to edit anything in these other folders, but is there any way to let him see only the OU under his control?

Thanks

 

[thatguy]

Sorry.. I posted too quick.. found the answer after a li'l more searching.

The solution I'm going with is here, posted by NickFerrar.

A custom MMC will probably give you what you need. Just start up a blank MMC, add the AD U&C snap-in to it, browse to the OU where your user accounts are then from the console menu select 'Options...' and change the mode to 'User mode - limited access, single window' and untick the box allowing them to customise the view.

In combination with delegated rights they should see a lot less of the AD and have a lot fewer functions available to them on right-click menus.