Solved

custom msc file allows browsing Domain

Posted on 2014-02-21
7
168 Views
Last Modified: 2014-03-21
Hi -

I'm using Windows Server 2008R2, domain level is native 2008R2.  I have created a custom .msc file for one of my junior admins, and it works just fine.  This console is designed to let them change/reset passwords for users in a specific OU.  I authored the .msc, then saved it using "User mode - limited access, single window" Console mode, and I've also deselected the "Allow the user to customize views" option.  

However, if the admin goes into the "view" settings, and selects View then Advanced Features, the console goes to the Console Root, and they are back at the top of my domain OU structure for Active Directory Users and Computers, at which point they can browse through the entire domain structure.  I obviously don't want that.  

It seems that something is not functioning properly - is there something I'm missing?

Thanks in advance,
Matt
0
Comment
Question by:charter_oak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39877873
You might be missing, that with default permissions, anyone may do that. So you would need to modify the OU permissions.
0
 

Author Comment

by:charter_oak
ID: 39878189
Thanks for the response, but I really don't think the OU permissions should need to be adjusted - that's what the msc is supposed to do.

The .msc shouldn't allow the user to get to view that level, though - that's what the "limited access" mode should be doing - according to Microsoft -

http://support.microsoft.com/kb/230263

"User Mode-limited access, single window: All restrictions in place for multiple window limited-access user mode apply, except that there is only a single window, so the controls for working with multiple windows are not present."
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39878832
Thing is: take any user. He may browse AD by default.
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Accepted Solution

by:
charter_oak earned 0 total points
ID: 39879347
I know that.  The tool is still not working as described.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39898526
Sorry for not coming back to you, was on vacation and mostly offline.
Maybe that's a bug. But: Assuming it could work: what would keep your junior admin from using the search in network neighborhood or even creating his own msc to view the things you are trying to keep him away from? Only modifying the OU permissions would help, I think.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39932754
I wonder how you think about my last comment - that seems to be the solution for reasons given.
0
 

Author Closing Comment

by:charter_oak
ID: 39944763
No other solutions offered
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question