Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 389
  • Last Modified:

Is it possible to prevent Active Directory users from appearing in LDAP searches?

We have a archiving software and policy in place that prevents us from purging old user accounts from our systems. However, we also have many systems that perform LDAP lookups against our directory for various reasons (directory harvesting, user lists, etc etc).

I guess what I'm looking for is a way to prevent these users from appearing in LDAP searches. If it has to be restricted by permissions of the LDAP bind account, that's fine - but I'm not sure how to do that, or if it's even possible.

All the accounts for former employees are disabled and reside in an OU called "Former Employees". None of them have mailboxes on our Exchange, and they are not members of any groups other than Users.

Any assistance is greatly appreciated.
1 Solution
The only way I could think of doing it would be to deny read access to whatever bind account is trying to access these accounts. It won't work if your archiving solution uses the same bind account though, otherwise you'd be just as well off deleting the users from AD.

I've never tested it before myself so I don't know if this will work for you, but you could try it. Just be extra careful about which accounts get added the deny permission.

If you go into AD users and computers (make sure you have View->Advanced Features enabled) and right click on the OU holding the disabled accounts. You should see a security tab and you can add the bind account and deny read access to the whole OU.
CharlesWaltonAuthor Commented:
You're a hero! I was looking for the security tab to give this a try, but I *ALWAYS* forget about the "Advanced Features" view.
Thanks for your help!

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now