Re: How to disable the use of adminpak.msi?

From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 07/09/04

Next message: Steven Umbach: "Re: Administrator rights"
Previous message: Steven Umbach: "Re: Spyware Issues or Hidden Software"
In reply to: Ivan Tsui: "How to disable the use of adminpak.msi?"
Next in thread: Ivan Tsui: "Re: How to disable the use of adminpak.msi?"
Reply: Ivan Tsui: "Re: How to disable the use of adminpak.msi?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 09 Jul 2004 14:32:56 GMT

A regular user can "see" items in AD but will not be able to do anything such as
modify/create objects with restricted permissions. You can set permissions on AD
objects much like ntfs permissions however if a user does not have access to
some objects, then they will not be able to change their password or have Group
Policy applied to them. I would not restrict access to the domain container,
domain controllers container, or the container/OU where their user account
resides. You could for instance remove all their permissions from an OU that
their account is not in, nor need access to anything in it. There is also a
Group Policy setting under user configuration/administrative
templates/desktop/active directory - hide active directory folder that may help
restrict casual browsing of AD. --- Steve

"Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
>
> Once a user computer install "adminpak.msi" and joined a domain, And then he
logon as domain user and run the "Active Directory Users and Groups" and other
AD utilities, he could be able to view the AD contents such as all Servers, all
Account Information, all Group Policies, ...?
>
> Other than restrict the users to install the adminpak.msi and use the AD
utilties in his computer, how I could set in AD to restrict or disable the users
to read the AD contents?
>
>
>

Next message: Steven Umbach: "Re: Administrator rights"
Previous message: Steven Umbach: "Re: Spyware Issues or Hidden Software"
In reply to: Ivan Tsui: "How to disable the use of adminpak.msi?"
Next in thread: Ivan Tsui: "Re: How to disable the use of adminpak.msi?"
Reply: Ivan Tsui: "Re: How to disable the use of adminpak.msi?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Re: Restrict Access to AD snap-in
... group and use deny permissions for this group only. ... >> there is a way to restrict users from installing Active Directory ... > Visit Topic URL to contact author (reg. ...
(microsoft.public.win2000.active_directory)
Re: Sharepoint Security - Help!!!!!
... When they did the migration from one server to another it went from Standard ... differnt sharepoint document libraries that we have in our internal company ... permissions as to who could look in them. ... > How can I restrict access and double check that it isn't some other option. ...
(microsoft.public.windows.server.sbs)
Re: Restricted Shells or Menu Based Shells
... > If you remove my permissions to a file I just upload my own file and use ... However, one need not restrict your use of your home directory, other ... owned by the untrusted group, ...
(Focus-Linux)
Re: Limit user access to server
... to the Remote Desktop users group and make sure that group has the user ... >> needs then create your own local group and configure ntfs permissions ... For XP Pro and Windows 2003 Software Restriction ... >> Policies can also be used to restrict what applications a user can ...
(microsoft.public.security)
Re: Policies w/o logging into Domain
... I would think it would be better to restrict this using a firewall or ... is has local admin permissions on the workstation can remove the permissions ... gateway information either from DHCP or from their IP settings. ... In order to restrict ...
(microsoft.public.win2000.security)