Deny read access for all properties in active directory

I'm using a piece of software that checks the entire AD for expiring user accounts.  The software runs as a service, and with a user account set up just for this purpose.  I am trying to limit which accounts the software checks by denying read access on certain OUs.

I have tried to deny the SWService user account read access to the Active Directory in every area I can think of, but certain read permissions persist.

The software is running on a domain controller.  The user account is a member of Domain Users and Administrators (builtin).  If I remove the user from administrators, the service will not start.  I'm not sure if membership in administrators is causing this or not.

The server that the software is running on is Windows Server 2008.  The domain is at Windows 2003 functional level.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
By default authenticated users have read access, take a look at this question I was a part of last year

...not recommended it to change it.

I'd contact the software vendor.  No way that should need admin rights just to read properties on AD accounts.  I wonder why it is needed.



Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
callitAuthor Commented:
After performing my own research, I'm coming to the same conclusion.  It looks like the only way to accomplish what I'm trying to do would be to change the schema or change the permission on every user account.

Here's the article I found:

From the article:

"When someone connects to Active Directory to perform an operation, it reads the ACL of the targeted entries and processes the ACE is the following order:

Deny on current entry,
Allow on current entry,
Deny from parent entries,
Allow from parent entries."

This is contrary to what I thought I knew about permissions.  I thought denies were always evaluated first.
callitAuthor Commented:
Also, the software doesn't need admin rights to read from the directory.  The manufacturer suggested I make it a domain user.  They do claim the software needs admin rights on the local box however.  It was my decision to install it directly on the DC.
callitAuthor Commented:
I've followed up on this a bit - here's what I've found:

I moved the software to a member server.  I deleted and recreated the account for good measure.  I made the account a member of domain users.  I made the account a member of Administrators (local) on the member server.

I set the deny list contents, deny read all properties, and deny read permissions on the OUs that I do not want the service to see.  I logged in as the service user account, and was able to verify that it could not see the OUs in question.  

This may have been an issue with installing the software on the DC itself, or the account being a member of the DC builtin administrators group.
Mike KlineCommented:
good work and thanks for the updated info,  I'm with you...don't usually install software on the DC.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.