wfloke
asked on
AD enquiry
I would like to make some enquiry regarding the AD.
If someone other than the IT dept staff with good IT knowledge, who know how to install the adminpak tool, and who also know how to check the domain controller hostname or IP. Am i right to said that the person will be able to browse/list what's in store in the AD?
Is there anyway to control this? whereby the person is not able to view the AD content even the person manage to install the adminpak or know the domain controller hostname/IP.
Thanks alot for any advice.
If someone other than the IT dept staff with good IT knowledge, who know how to install the adminpak tool, and who also know how to check the domain controller hostname or IP. Am i right to said that the person will be able to browse/list what's in store in the AD?
Is there anyway to control this? whereby the person is not able to view the AD content even the person manage to install the adminpak or know the domain controller hostname/IP.
Thanks alot for any advice.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
What do you want to hide? You can make a "deny read" group, put users that should not be able to read i.e. an OU and on OU level deny read to this OU. (this can be a mess if you have a large domain tree).
Users needs to be able to read the OU their own user object is located in and also the default domain policy.
I once tested in a lab denying authenticated users reading the domain root. Not a success :)
SG
Users needs to be able to read the OU their own user object is located in and also the default domain policy.
I once tested in a lab denying authenticated users reading the domain root. Not a success :)
SG
You can remove this default Auth Users-->Read ACL at the domain root, but it is a non-trivial operation that has significant implications for application compatibility, most notably Exchange and Group Policy processing, and as such needs to be strenuously tested in a lab environment before attempting to do so in a production domain.