[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Limit AD querying ability / scope to a users OU

Posted on 2010-09-07
1
Medium Priority
?
492 Views
Last Modified: 2012-05-10
We would like to limit a users access to quering AD for entries, by for example only allowing him to query his own OU, and not the entire domain tree.

Is there an efficient way to do this? Maybe setting some kind of policy somewhere?

The issue is that we have customers who have their own isolated VM servers for applications outside our ASP environment. For easy user management and control, as well as some application requirements, those servers are members of our global domain. In order to allow application administrators access to the server, we add them to the local administrators group, but we really don't want them to be able to roam and explore our AD as they please, and as such, the question above arose.

Thank you!
0
Comment
Question by:CatalinT
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 57

Accepted Solution

by:
Mike Kline earned 2000 total points
ID: 33618753
So by default authenticated users have read access to AD; you would have to remote that then assign permissions to what they need....test anything out before you do it....things can break if you do it wrong.

Some more info here   http://www.usercube.com/blog/lock-down-active-directory-account

Thanks

Mike
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

656 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question