Is it possible to prevent Active Directory users from appearing in LDAP searches?

Posted on 2008-11-07
Last Modified: 2013-12-24
We have a archiving software and policy in place that prevents us from purging old user accounts from our systems. However, we also have many systems that perform LDAP lookups against our directory for various reasons (directory harvesting, user lists, etc etc).

I guess what I'm looking for is a way to prevent these users from appearing in LDAP searches. If it has to be restricted by permissions of the LDAP bind account, that's fine - but I'm not sure how to do that, or if it's even possible.

All the accounts for former employees are disabled and reside in an OU called "Former Employees". None of them have mailboxes on our Exchange, and they are not members of any groups other than Users.

Any assistance is greatly appreciated.
Question by:CharlesWalton
    LVL 3

    Accepted Solution

    The only way I could think of doing it would be to deny read access to whatever bind account is trying to access these accounts. It won't work if your archiving solution uses the same bind account though, otherwise you'd be just as well off deleting the users from AD.

    I've never tested it before myself so I don't know if this will work for you, but you could try it. Just be extra careful about which accounts get added the deny permission.

    If you go into AD users and computers (make sure you have View->Advanced Features enabled) and right click on the OU holding the disabled accounts. You should see a security tab and you can add the bind account and deny read access to the whole OU.

    Author Closing Comment

    You're a hero! I was looking for the security tab to give this a try, but I *ALWAYS* forget about the "Advanced Features" view.
    Thanks for your help!

    Featured Post

    How to run any project with ease

    Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
    - Combine task lists, docs, spreadsheets, and chat in one
    - View and edit from mobile/offline
    - Cut down on emails

    Join & Write a Comment

    Introduction You may have a need to setup a group of users to allow local administrative access on workstations.  In a domain environment this can easily be achieved with Restricted Groups and Group Policies. This article will demonstrate how to…
    Using SQL Scripts we can save all the SQL queries as files that we use very frequently on our database later point of time. This is one of the feature present under SQL Workshop in Oracle Application Express.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    26 Experts available now in Live!

    Get 1:1 Help Now