Re: Prevent "Authenticated Users" from browsing Active Directory
From: Steven L Umbach (n9rou@nsattbi.com)
Date: 10/06/02
- Next message: Jim: "Re: HELP"
- Previous message: ls0f: "Re: Security Forums back up, bigger prettier? and faster..I hope."
- In reply to: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Next in thread: Lyle Homer: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Reply: Lyle Homer: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Steven L Umbach" <n9rou@nsattbi.com> Date: Sat, 05 Oct 2002 22:34:30 GMT
On second though I would not recommend changing permissions at the
domain level because it probably would cause any user group policy settings
to not take effect, but I still believe that removing them at the user
container or individual object level is something that probably would
ork. -- Steve
"Steven L Umbach" <n9rou@nsattbi.com> wrote in message
news:lMIn9.50591$Pz.44229@rwcrnsc51.ops.asp.att.net...
> You could try this. In AD Users and Computers select the
domain
> properties/security and remove everyone and authenticated users from the
> security list. You can uncheck the read permissions for them, but my
> experience shows that they still may have read access in advanced
> permissions - that is why I recommend removing the whole group. That
should
> stop them from browsing AD. I do not think that will cause any operational
> properties, however I would recommend testing it first. You can always add
> these groups back - be sure to document their permissions before removing
> them. Another possibility is to remove the same groups from the individual
> object you do not want them to see. For instance you could remove everyone
> and authenticated users from security permissions for the domain admins,
> enterprise administrator, schema administrator, administrators, and
> administrator object. They would not appear then when someone browses the
> "user" container in AD. --- Steve
>
> "Lyle Homer" <lhomer@nospam.yahoo.com> wrote in message
> news:0n2upu4t9or71m11lvn8qr7e1n2dtercgg@4ax.com...
> > Is it possible to prevent Authenticated Users from browsing Active
> > Directory, without causing problems?
> >
> > We are planning to rename the domain administrator account but are
> > troubled by the fact that normal users in the domain can go to My
> > Network Places, Entire Network, Directory, domain, Built-in, and
> > double click on the Administrtors group and get the names of all the
> > accounts in the domain with admin rights.
> >
> > We moved the "Domain Admins" group to a new OU and removed the Read
> > permission from Authenticated Users and that made the OU disappera
> > from directory browsing, howerver if we remove the Read permission on
> > the Built-in folder for Authenticated Users, the folder still shows up
> > while browsing.
> >
> > Any advice on preventing directory browsing would be appreciated.
> >
> > Also, our testing has shown that if we remove the Read permission from
> > the OU for Authenticated users that also has a GPO assigned to it, the
> > GPO is no longer applied to the clients even though the GPO itself
> > still allows Read access for Authenticated Users.
> >
> > Is this by design?
> >
> > Lyle
> > lhomer@nospam.yahoo.com (remove nospam)
> >
>
>
- Next message: Jim: "Re: HELP"
- Previous message: ls0f: "Re: Security Forums back up, bigger prettier? and faster..I hope."
- In reply to: Steven L Umbach: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Next in thread: Lyle Homer: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Reply: Lyle Homer: "Re: Prevent "Authenticated Users" from browsing Active Directory"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
