Solved

Limit AD querying ability / scope to a users OU

Posted on 2010-09-07
1
483 Views
Last Modified: 2012-05-10
We would like to limit a users access to quering AD for entries, by for example only allowing him to query his own OU, and not the entire domain tree.

Is there an efficient way to do this? Maybe setting some kind of policy somewhere?

The issue is that we have customers who have their own isolated VM servers for applications outside our ASP environment. For easy user management and control, as well as some application requirements, those servers are members of our global domain. In order to allow application administrators access to the server, we add them to the local administrators group, but we really don't want them to be able to roam and explore our AD as they please, and as such, the question above arose.

Thank you!
0
Comment
Question by:CatalinT
1 Comment
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 33618753
So by default authenticated users have read access to AD; you would have to remote that then assign permissions to what they need....test anything out before you do it....things can break if you do it wrong.

Some more info here   http://www.usercube.com/blog/lock-down-active-directory-account

Thanks

Mike
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

911 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now