Solved

2003 Server AD Permissions & Security

Posted on 2015-02-15
12
53 Views
Last Modified: 2015-02-17
Have Windows 2003 server w/AD. Creating a new directory structure and wanted to know if it is possible to not let user view directories under a parent, that they don't have permissions to access?
0
Comment
Question by:Harold
  • 7
  • 5
12 Comments
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40611097
Are you meanng something like (Access Based Enumeration like how DFS has)? So you only want to show the directory structure where users have access to?

domain.com
+---OU1 (has permission)
+-------OU2 (has permission)
+-----------OU3 (does not have permission)

+---OUA (has permission)
+-------OUB (does not have permission)
+---------OUC (does not have permission)

So if this is the case above you User1 would only see OU1/OU2 and OUA and nothing else.

If this is what you are looking for, then it is not possible. At the top level domain Everyone has Read All Properties by default and you do not want to change these settings. This allows anyone (who is a domain member) to look up attributes for users/computers and other services that may be associated wth there account like Exchange or Lync.

Changing these settings could have a negative impact on your environment and any services that you are hosting.

Will.
0
 
LVL 1

Author Comment

by:Harold
ID: 40611161
@Will: How can I make them not able to read the content of folders then?
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40611526
Content of what folders? Are you referring to the OU's in AD or something else?

Will.
0
 
LVL 1

Author Comment

by:Harold
ID: 40612158
Any folder they are not to view content. Currently they can still read, where I don't need them to read.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40612508
Are you talking about OU's or Folders (like on a file server)?

I would not be modifying the read permissions on OU. But if you need to for whatever reason, you need to enable Advance Features within ADUC and then go to the OU that you want to modify security to,
- click the security tab
- click the advance tab
- remove the check mark for "include inheritable permissions of the objects parent"
- On the Next Window clcik the ADD button
- Remove the permissions for Everyone and or the user account you do not want to have access

Will.
0
 
LVL 1

Author Comment

by:Harold
ID: 40614122
@Will; I was referencing the folders. Everyone still can read the content of the Folders/Files.
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40614226
Oh, ok sounds good.

You would still follow the directions above but doing this at the folder level. If you have Everyone at the root folder and you just want to modify some of the child folder to not allow Everyone read permissions you need to go to that folder and proceed with the steps above, removing the "include inheritable permissions of the objects parent" and then clicking the Add button and then you can remove the Everyone Group from this directory.

Will.
0
 
LVL 1

Author Comment

by:Harold
ID: 40614267
@Will; I think I figured out the Folder access problem I was having. Everyone had inherited permissions from the Parent folder, I removed "Allow inherited......" then added the group I wanted and gave their permissions there.
0
 
LVL 1

Author Comment

by:Harold
ID: 40614271
@Will; you must have been typing the same time I was, thanks for all Will, great help.

Going to post a question on login.bat files shortly, if you're interested.
0
 
LVL 1

Author Closing Comment

by:Harold
ID: 40614277
thanks again Will.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40614355
Not a problem. Send me the link and i will happily assist.

Will.
0
 
LVL 1

Author Comment

by:Harold
ID: 40614424
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Do you have users whose passwords are expiring and they are constantly calling you?  Well I sure did and needed a way to put an end to this.  We have a lot of remote users which would not be notified that their passwords were expiring since they wer…
Mapping Drives using Group policy preferences Are you still using old scripts to map your network drives if so this article will show you how to get away for old scripts and move toward Group Policy Preference for mapping them. First things f…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now