Active Directory delegation best practices
Solution 1:
a) In order for the users to be able to perform these actions from their workstations, is there any other method other than installing the Remote Server and Administration Tools? Could I install only the 'Active Directory Users and Computers' snap-in somehow?
ADUC is part of RSAT. They need that installed unless they want to use the commandline net use
commands, which wouldn't be very efficient.
b) Despite creating a custom AD snap-in using mmc.exe so the single OU to be managed is at the root, I was surprised to see that users still had read-access to the whole AD domain structure. Is this by design or have my permissions gone awry somewhere?
This is normal and expected. Amost nothing is secret in your AD and there's really no reason for it to be in most cases. Even if you didn't install ADUC for these users (or any users) they could still gather information about your domain using dsquery
, net use
, or the Get-AD*
PowerShell cmdlets.
Don't worry, nothing's gone wrong. That's how it should be.
Solution 2:
Authenticated Users have READ permissions (along with a few other permissions) at the domain root by design. These permissions are inherited by all child objects in the domain (AFAIK) and are related to the operation of Active Directory, it's functions and it's objects. These permissions aren't directly related to Delegation of Authority.