Is it possible to prevent Active Directory users from appearing in LDAP searches?

We have a archiving software and policy in place that prevents us from purging old user accounts from our systems. However, we also have many systems that perform LDAP lookups against our directory for various reasons (directory harvesting, user lists, etc etc).

I guess what I'm looking for is a way to prevent these users from appearing in LDAP searches. If it has to be restricted by permissions of the LDAP bind account, that's fine - but I'm not sure how to do that, or if it's even possible.

All the accounts for former employees are disabled and reside in an OU called "Former Employees". None of them have mailboxes on our Exchange, and they are not members of any groups other than Users.

Any assistance is greatly appreciated.
CharlesWaltonAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SweetJ21Commented:
The only way I could think of doing it would be to deny read access to whatever bind account is trying to access these accounts. It won't work if your archiving solution uses the same bind account though, otherwise you'd be just as well off deleting the users from AD.

I've never tested it before myself so I don't know if this will work for you, but you could try it. Just be extra careful about which accounts get added the deny permission.

If you go into AD users and computers (make sure you have View->Advanced Features enabled) and right click on the OU holding the disabled accounts. You should see a security tab and you can add the bind account and deny read access to the whole OU.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
CharlesWaltonAuthor Commented:
You're a hero! I was looking for the security tab to give this a try, but I *ALWAYS* forget about the "Advanced Features" view.
Thanks for your help!
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.