spengler
asked on
Restricting Users from using the Advanced Security Settings Dialog on client workstations
I would like to disable a users ability to search or list objects from the Active Directory. Our current directory includes private user information that users should not be able to see yet we need to continue to store it in the users description field. I have tried to deny the group containing all users at the top of the domain tree (which does prevent it) but when doing this the policy GPO scripts do not run. These scripts configure drive mappings and printer configurations automatically along with several other policies.
Optimally I would simply like to disable the Security Tab shown at the top of all object properties along with all active directory searching for identified users?
Optimally I would simply like to disable the Security Tab shown at the top of all object properties along with all active directory searching for identified users?
ASKER
Unfortunately Users are give PowerUser status due the software running on the system.
>>due the software running on the system
Do mean making them restricted users will prevent the software from being working?
What is the software thar will need credentials to be working?
Do mean making them restricted users will prevent the software from being working?
What is the software thar will need credentials to be working?
ASKER
AutoCAD, 3DStudio, GMAX. I basically want to keep them as power users but restrict them from seeing a list of ADS objects or doing any ADS searches.
I think you need to play with GP template, read this please for more details:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/seconfig.mspx
ASKER
I found this article.
http://support.microsoft.com/?kbid=303153
Disable the Security Tab
To disable the Security tab from Windows 2000 Professional-based workstations that are members of a Windows 2000 domain: 1. Start Active Directory Users and Computers.
2. Right-click the domain, and then click Properties.
3. Click the Group Policy tab on the domain properties dialog box to view the default domain policy.
4. Click New. New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Security Tab. Make sure this policy is positioned directly under the default domain policy.
5. Click Remove Security Tab, and then click Edit to start the Group Policy Editor.
6. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry.
7. Right-click in the left pane, and then click Add Key.
8. Paste the following key in the text box, and then click OK:
CLASSES_ROOT\CLSID\{1F2E5C
Note that there may be a delay before you can proceed to the next step, and this is normal.
9. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
10. Change the permission on this key for the users and/or groups that you added in the previous step to "Deny Read." This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.
http://support.microsoft.com/?kbid=303153
Disable the Security Tab
To disable the Security tab from Windows 2000 Professional-based workstations that are members of a Windows 2000 domain: 1. Start Active Directory Users and Computers.
2. Right-click the domain, and then click Properties.
3. Click the Group Policy tab on the domain properties dialog box to view the default domain policy.
4. Click New. New Group Policy Object should appear in the list of objects. Rename this Policy to Remove Security Tab. Make sure this policy is positioned directly under the default domain policy.
5. Click Remove Security Tab, and then click Edit to start the Group Policy Editor.
6. Expand Computer Configuration, Windows Settings, Security Settings, and then click Registry.
7. Right-click in the left pane, and then click Add Key.
8. Paste the following key in the text box, and then click OK:
CLASSES_ROOT\CLSID\{1F2E5C
Note that there may be a delay before you can proceed to the next step, and this is normal.
9. The Database Security Editor appears. You need to add the user or group that you want the Security tab to be removed from.
10. Change the permission on this key for the users and/or groups that you added in the previous step to "Deny Read." This prevents the user from being able to instantiate the needed components to display the Security and Sharing tabs. Click OK twice to complete the settings and exit the Group Policy Editor.
I should give you Good answer. you put your hands on the answer, but remember that this solution is applied for win2k workstation, who knows it might work for winxp, give it a a shot and let us know,
Good luck.
Naser
Good luck.
Naser
Rather than putting users in the power user group why not try maing your own group - i originally had all users in a very small network in te admin group to get software to run properly but once i made my own groups these issues where resolved - not sure how this would effect their ability to search AD - youd have to give it a try
Hi spengler,
It's long time since you asked the Question; Are you still working on this? Was the information provided helpful? Have you found a solution? Do you need more information?
If any of the above answers gave you the solution, please accept the answer with the appropriate grade you see.
Please let us know, we appreciate your reply.
Naser
It's long time since you asked the Question; Are you still working on this? Was the information provided helpful? Have you found a solution? Do you need more information?
If any of the above answers gave you the solution, please accept the answer with the appropriate grade you see.
Please let us know, we appreciate your reply.
Naser
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
So, the question is "in whcih group those users you are worried to make them able to see the security tab?"