asked on
Limit AD querying ability / scope to a users OU
We would like to limit a users access to quering AD for entries, by for example only allowing him to query his own OU, and not the entire domain tree.
Is there an efficient way to do this? Maybe setting some kind of policy somewhere?
The issue is that we have customers who have their own isolated VM servers for applications outside our ASP environment. For easy user management and control, as well as some application requirements, those servers are members of our global domain. In order to allow application administrators access to the server, we add them to the local administrators group, but we really don't want them to be able to roam and explore our AD as they please, and as such, the question above arose.
Thank you!
Is there an efficient way to do this? Maybe setting some kind of policy somewhere?
The issue is that we have customers who have their own isolated VM servers for applications outside our ASP environment. For easy user management and control, as well as some application requirements, those servers are members of our global domain. In order to allow application administrators access to the server, we add them to the local administrators group, but we really don't want them to be able to roam and explore our AD as they please, and as such, the question above arose.
Thank you!
Active Directory
Last Comment
Mike Kline
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.