I am delegating a group of users to a specific person to be able to keep up with thier account management, and I have delegated them the authority to do this to just this group. Is there a way that I can also restrict that same person from viewing the group policies or other organizational units on the ADUC?
Thanks for your time in advance.
Best Answer
Yes, but it's complicated. What you need to do is put your domain in List Object mode. It's done by setting the third number in the dsHeuristics attribute in the configuration naming context to 1 in ADSI edit.
http://technet.microsoft.com/en-us/library/cc546864.aspx
Once you've done that, you will unlock List Object mode, which you will see as a new permission or ACE that you can assign to Active Directory objects.
It's reminiscent of the "bypass traversal checking" privilege in Windows security that allows a user to traverse a folder that they do not have permissions to in order to get to a folder that they do have permissions to.
You mostly see AD List Object mode used in multi-tenant environments where you have multiple customers sharing the same AD domain, and you don't want them to be able to see one another's stuff.
Keep in mind though, that you'll run into Group Policy application errors on your clients unless you are very, very precise with your permissions. The GP engine on a client needs read gpLink, read gpOptions, read cn and read Distinguished Name on every OU in the chain from where they reside all the way up to the root of the domain, or else GPO application will fail.