We help IT Professionals succeed at work.

Restricting Users from using the Advanced Security Settings Dialog on client workstations

spengler
spengler asked
on
212 Views
Last Modified: 2010-03-18
I would like to disable a users ability to search or list objects from the Active Directory.  Our current directory includes private user information that users should not be able to see yet we need to continue to store it in the users description field.  I have tried to deny the group containing all users at the top of the domain tree (which does prevent it) but when doing this the policy GPO scripts do not run.  These scripts configure drive mappings and printer configurations automatically along with several other policies.

Optimally I would simply like to disable the Security Tab shown at the top of all object properties along with all active directory searching for identified users?

Comment
Watch Question

Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
By default when you join a user to the domain he become a restricted user, which means he will not be able to see the "security tab", unless you grant him this right.

So, the question is "in whcih group those users you are worried to make them able to see the security tab?"

Author

Commented:
Unfortunately Users are give PowerUser status due the software running on the system.
Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
>>due the software running on the system
Do mean making them restricted users will prevent the software from being working?

What is the software thar will need credentials to be working?

Author

Commented:
AutoCAD, 3DStudio, GMAX.  I basically want to keep them as power users but restrict them from seeing a list of ADS objects or doing any ADS searches.
Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
I think you need to play with GP template, read this please for more details:

http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx

Author

Commented:
I found this article.

http://support.microsoft.com/?kbid=303153

Disable the Security Tab
To disable the Security tab from Windows 2000 Professional-based workstations that are members of a Windows 2000 domain: 1. Start Active Directory Users and Computers.
2. Right-click the domain, and then click Properties.
3. Click the Group Policy tab on the domain properties dialog box to view the default domain policy.
4. Click New. New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Security Tab. Make sure this policy is positioned directly under the default domain policy.
5. Click Remove Security Tab, and then click Edit to start the Group Policy Editor.
6. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry.
7. Right-click in the left pane, and then click Add Key.
8. Paste the following key in the text box, and then click OK:
CLASSES_ROOT\CLSID\{1F2E5C40-9550-11CE-99D2-00AA006E086C}
Note that there may be a delay before you can proceed to the next step, and this is normal.  
9. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
10. Change the permission on this key for the users and/or groups that you added in the previous step to "Deny Read." This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.

Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
I should give you Good answer. you put your hands on the answer, but remember that this solution is applied for win2k workstation, who knows it might work for winxp, give it a a shot and let us know,

Good luck.

Naser

Commented:
Rather than putting users in the power user group why not try maing your own group - i originally had all users in a very small network in te admin group to get software to run properly but once i made my own groups these issues where resolved - not sure how this would effect their ability to search AD - youd have to give it a try
Naser GabajE&P Senior Software Specialist
CERTIFIED EXPERT

Commented:
Hi spengler,

It's long time since you asked the Question; Are you still working on this? Was the information provided helpful? Have you found a solution? Do you need more information?

If any of the above answers gave you the solution, please accept the answer with the appropriate grade you see.

Please let us know, we appreciate your reply.

Naser
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.