Active Directory membership

Posted on 2007-08-06
Last Modified: 2013-11-05
Is there a group or OU in Active Directory that would allow users to be authenticated via LDAP but not automatically allow them access to resources?
Question by:eva623
    LVL 31

    Expert Comment

    by:Toni Uranjek

    There is special group "Authenticated users" but you can not add members to this group. Sucessfully authenticated users are automatically members of this group.
    Resorces in AD domain are not automatically accessible, you always have to share them first or set correct permissions.


    Author Comment

    Thanks Toni,
    I've been asked to create secure access to a group of folks who want to authenticate to our domain in order to use one application - but we don't want them to have access to anything else.  Can I create an OU that doesn't have rights to anything except the application?  Do they have to be members of domain users?
    LVL 31

    Accepted Solution

    Don't mix OUs with permission. You should use security groups for configuring access to resources. Microsoft recommends using A G DL P strategy. Put user accounts in global groups, put global groups in domain local groups and use domain local groups to assign permissions. If you would use this strategy, you could be completely sure, that they could not access anything else.
    But It doesn't really matter if these user accounts are part of Domain users, if you (for example) use Everyone group on for assigning permissions on shares and NTFS.

    Author Comment

    thanks again.  I'll create user accounts and put them in a new global group and give them no permissions except the explicit ones they need.  I guess I'm afraid that my predecessors gave authenticated users rights to some resources - I guess we'll find out!

    Featured Post

    Free Trending Threat Insights Every Day

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    The saying goes a bad carpenter blames his tools. In the Directory Services world a bad system administrator, well, even with the best tools they’re probably not going to become an all star.  However for the system admin who is willing to spend a li…
    Companies that have implemented Microsoft’s Active Directory need to ensure that the Active Directory is configured and operating properly. If there are issues found and not resolved, it eventually leads the components to fail or stop working and fi…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    729 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    21 Experts available now in Live!

    Get 1:1 Help Now