Prevent "Authenticated Users" from browsing Active Directory

From: Lyle Homer (lhomer@nospam.yahoo.com)
Date: 10/05/02

• Next message: NeoSadist: "Re: reinstalling ms word 2000"
• Previous message: Martin Kofahl: "Re: Delete Users Profle"
• Next in thread: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
• Reply: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: Lyle Homer <lhomer@nospam.yahoo.com>
Date: Sat, 05 Oct 2002 09:01:00 -0700

Is it possible to prevent Authenticated Users from browsing Active
Directory, without causing problems?

We are planning to rename the domain administrator account but are
troubled by the fact that normal users in the domain can go to My
Network Places, Entire Network, Directory, domain, Built-in, and
double click on the Administrtors group and get the names of all the
accounts in the domain with admin rights.

We moved the "Domain Admins" group to a new OU and removed the Read
permission from Authenticated Users and that made the OU disappera
from directory browsing, howerver if we remove the Read permission on
the Built-in folder for Authenticated Users, the folder still shows up
while browsing.

Any advice on preventing directory browsing would be appreciated.

Also, our testing has shown that if we remove the Read permission from
the OU for Authenticated users that also has a GPO assigned to it, the
GPO is no longer applied to the clients even though the GPO itself
still allows Read access for Authenticated Users.

Is this by design?

Lyle
lhomer@nospam.yahoo.com (remove nospam)

---

• Next message: NeoSadist: "Re: reinstalling ms word 2000"
• Previous message: Martin Kofahl: "Re: Delete Users Profle"
• Next in thread: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
• Reply: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Some policys do not apply to user ... The difference between Everyone and Authenticated Users is Everyone includes ... Does the group have AGP permission? ... >>sounds like there is ACL filtering configured on the GPO ... Make sure the ACL has Everyone ... (microsoft.public.win2000.group_policy) Re: GPResult lists machine policy as "Denied (Security)." Dont kn ... Okay well it must have been a permission somewhere in there - I went through ... >> at its default settings of read/apply for Authenticated Users ... >>> So as you can imagine, I'm trying to figure out why the machine GPO ... (microsoft.public.win2000.group_policy) GP ACL - Authenticated users ... If I need to apply GPO to particular group only, ... permission for "Authenticated users" group for that GPO? ... Maybe GP processing will be quicker? ... (microsoft.public.windows.group_policy) Re: Group Policy applies to some users, but not others ... >permission, so the 'Authenticated Users' group should get ... >Authenticated users: Read and Apply Policy ... >the same OU as a user where the GPO isn't working. ... (microsoft.public.win2000.group_policy) Re: Group Policy applies to some users, but not others ... permission, so the 'Authenticated Users' group should get the policy applied. ... Authenticated users: Read and Apply Policy ... the same OU as a user where the GPO isn't working. ... (microsoft.public.win2000.group_policy)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(16)