Access to AD by others / Delegating

  • Thread starter Thread starter Tim
  • Start date Start date
T

Tim

I'm sure this is very simple... I hope someone could steer me in the right
direction...

I'm just now getting to the point where I'd like to start delegating control
of parts of AD. For example, I'd like to maintain a large Contacts library
in AD. And for our 4 locations, I'd like to give user control to someone
local.

I THINK that it looks simple enough to do this by either using the "Delegate
Control" feature on certain OU's, and / or setting the "managed by" fields
in the properties of OU's.

My question is, what is the best way for these users to get to AD. Do I
really have to have them log in to the server? Currently when I try to log
in with another user name (that has been delegated control of a certain OU)
via remote desktop, the server says that "local policy of the system does
not allow you to logon interactively". I'm sure this is just a permissions
thing easy enough to figure out, but I'd prefer to not have these users in
the server.

Is there not some sort of something I can load onto their XP machines that
give them only what they need from AD?

Thanks for any advise!
Tim
 
Tim said:
I'm sure this is very simple... I hope someone could steer me in the right
direction...
Click to expand...
My question is, what is the best way for these users to get to AD. Do I
really have to have them log in to the server? Currently when I try to log
in with another user name (that has been delegated control of a certain OU)
via remote desktop, the server says that "local policy of the system does
not allow you to logon interactively". I'm sure this is just a permissions
thing easy enough to figure out, but I'd prefer to not have these users in
the server.
Click to expand...

There are essentially three strategies to "get to AD":

1) Remote Desktop->Terminal Services (or similar)

2) Login locally (physically at the keyboard)

3) Run the AD Users/Computers from a workstation
Is there not some sort of something I can load onto their XP machines that
give them only what they need from AD?
Click to expand...

For #3, you run the AdminPak.MSI on the workstation to
install the Admin tools.
 
Back
Top