Link to home
Start Free TrialLog in
Avatar of charter_oak
charter_oak

asked on

custom msc file allows browsing Domain

Hi -

I'm using Windows Server 2008R2, domain level is native 2008R2.  I have created a custom .msc file for one of my junior admins, and it works just fine.  This console is designed to let them change/reset passwords for users in a specific OU.  I authored the .msc, then saved it using "User mode - limited access, single window" Console mode, and I've also deselected the "Allow the user to customize views" option.  

However, if the admin goes into the "view" settings, and selects View then Advanced Features, the console goes to the Console Root, and they are back at the top of my domain OU structure for Active Directory Users and Computers, at which point they can browse through the entire domain structure.  I obviously don't want that.  

It seems that something is not functioning properly - is there something I'm missing?

Thanks in advance,
Matt
Avatar of McKnife
McKnife
Flag of Germany image

You might be missing, that with default permissions, anyone may do that. So you would need to modify the OU permissions.
Avatar of charter_oak
charter_oak

ASKER

Thanks for the response, but I really don't think the OU permissions should need to be adjusted - that's what the msc is supposed to do.

The .msc shouldn't allow the user to get to view that level, though - that's what the "limited access" mode should be doing - according to Microsoft -

http://support.microsoft.com/kb/230263

"User Mode-limited access, single window: All restrictions in place for multiple window limited-access user mode apply, except that there is only a single window, so the controls for working with multiple windows are not present."
Thing is: take any user. He may browse AD by default.
ASKER CERTIFIED SOLUTION
Avatar of charter_oak
charter_oak

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry for not coming back to you, was on vacation and mostly offline.
Maybe that's a bug. But: Assuming it could work: what would keep your junior admin from using the search in network neighborhood or even creating his own msc to view the things you are trying to keep him away from? Only modifying the OU permissions would help, I think.
I wonder how you think about my last comment - that seems to be the solution for reasons given.
No other solutions offered