Garry Shape
asked on
Secure AD from regular user from querying information?
I've created a standard AD user in my AD environment and discovered that, if I run Powershell with its credentials, or AD explorer, for example, I can query almost anything.
To me that does not seem very secure, and I'm wondering if that's an inherent permission with AD or if I have to manually modify things to prevent it.
So I can open AD explorer and browser all OUs, view groups and their members, etc, all as a Domain User with no extra permissions.
I can run powershell "get-aduser -username -properties * | fl" and get all their AD fields.
Would unchecking allow "Read" permission for Authenticated Users have any adverse effect?
To me that does not seem very secure, and I'm wondering if that's an inherent permission with AD or if I have to manually modify things to prevent it.
So I can open AD explorer and browser all OUs, view groups and their members, etc, all as a Domain User with no extra permissions.
I can run powershell "get-aduser -username -properties * | fl" and get all their AD fields.
Would unchecking allow "Read" permission for Authenticated Users have any adverse effect?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
They can view:
Group memberships
Password last set times
Domain Controllers
Custom attributes made that contain sensitive information about users (like pin codes for other authentication systems)
is that the usual setup in AD?
Is setting the Confidential flag on schema attributes the only way to prevent any "Authenticated user" from accessing certain information?