Limit AD querying ability / scope to a users OU
Posted on 2010-09-07
We would like to limit a users access to quering AD for entries, by for example only allowing him to query his own OU, and not the entire domain tree.
Is there an efficient way to do this? Maybe setting some kind of policy somewhere?
The issue is that we have customers who have their own isolated VM servers for applications outside our ASP environment. For easy user management and control, as well as some application requirements, those servers are members of our global domain. In order to allow application administrators access to the server, we add them to the local administrators group, but we really don't want them to be able to roam and explore our AD as they please, and as such, the question above arose.