[Webinar] Learn how to a build a cloud-first strategyRegister Now


Active Directory membership

Posted on 2007-08-06
Medium Priority
Last Modified: 2013-11-05
Is there a group or OU in Active Directory that would allow users to be authenticated via LDAP but not automatically allow them access to resources?
Question by:eva623
  • 2
  • 2
LVL 31

Expert Comment

by:Toni Uranjek
ID: 19638742

There is special group "Authenticated users" but you can not add members to this group. Sucessfully authenticated users are automatically members of this group.
Resorces in AD domain are not automatically accessible, you always have to share them first or set correct permissions.


Author Comment

ID: 19638808
Thanks Toni,
I've been asked to create secure access to a group of folks who want to authenticate to our domain in order to use one application - but we don't want them to have access to anything else.  Can I create an OU that doesn't have rights to anything except the application?  Do they have to be members of domain users?
LVL 31

Accepted Solution

Toni Uranjek earned 1000 total points
ID: 19638863
Don't mix OUs with permission. You should use security groups for configuring access to resources. Microsoft recommends using A G DL P strategy. Put user accounts in global groups, put global groups in domain local groups and use domain local groups to assign permissions. If you would use this strategy, you could be completely sure, that they could not access anything else.
But It doesn't really matter if these user accounts are part of Domain users, if you (for example) use Everyone group on for assigning permissions on shares and NTFS.

Author Comment

ID: 19638905
thanks again.  I'll create user accounts and put them in a new global group and give them no permissions except the explicit ones they need.  I guess I'm afraid that my predecessors gave authenticated users rights to some resources - I guess we'll find out!

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses
Course of the Month20 days, 14 hours left to enroll

810 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question