Re: Domain Users with 2003 adminpak can see AD!
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 03/12/04
- Next message: Joe Mine: "VPN clients cannot ping Netbios name but only ip address."
- Previous message: Steven L Umbach: "Re: Adding Computers to the Domain"
- In reply to: klose: "Domain Users with 2003 adminpak can see AD!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 11 Mar 2004 23:47:44 GMT
As Paul said, this is SOP. A domain user can go to My Network Places and browse or
search Active Directory. All AD objects have permissions to them somewhat like ntfs
folders do. You can remove everyone/users from an object [and replace with authorized
groups] and they will not be able to see it and this may be desirable for shares,
printers, or even an OU as long as the user does not exist in that container nor need
to access objects in that container via AD. However if you try that be very careful
as I believe a user needs read permissions to at least the domain controller
container, the domain container, any OU that they may be in, and their user account
or they will not be able to change their password and Group Policy user configuration
will not apply to them. --- Steve
"klose" <norepl@noreply.com> wrote in message
news:%23vCsYW6BEHA.2768@tk2msftngp13.phx.gbl...
> If a regular domain user, installs the 2003 adminpak, they can browse the
> ADUC containers.
>
> a) Why is this not locked down to at least a domain administrator or some
> other group?
>
> I am aware of the GP that can lock down the various tools, and the
> customization of the mmc window, but can not control it from the default
> tool within the administrator tools console.
>
> b) After you grant use of the ADUC tool to certain members, they can see
> EVERYTHING.
> The default permissions on the ADUC objects allows Authenticated Users at
> least RO rights on the Builtin, computers, ForeignSecurity Principles...etc
> folders.
> Can these rights be changed without affecting other system/domain needs?
>
>
> My goal is to deploy minimal tools to remote office administrators, I have
> already used asdi edit and delegation wizard to effect limitations....but
> they still see way to much.
>
>
- Next message: Joe Mine: "VPN clients cannot ping Netbios name but only ip address."
- Previous message: Steven L Umbach: "Re: Adding Computers to the Domain"
- In reply to: klose: "Domain Users with 2003 adminpak can see AD!"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
