Re: How to disable the use of adminpak.msi?
From: Ivan Tsui (IvanTsui_at_discussions.microsoft.com)
Date: 07/10/04
- Next message: Ivan Tsui: "View whole AD with adminpak.msi"
- Previous message: Michael Fay: "Re: The user has not been granted the requested logon type."
- In reply to: Steven Umbach: "Re: How to disable the use of adminpak.msi?"
- Next in thread: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- Reply: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 9 Jul 2004 18:31:02 -0700
If there is a security loophole in AD? If a user know which users belonged to Domain Admins or Administrators, he could try to just hack the password for those Administrators to be able to get full access rights. In addition, he also know whole domain information, such as user personal information, group policies applied to different groups, OUs, which server is domain controllers, ..., etc.
Why a normal domain users could access to AD tree?
"Steven Umbach" wrote:
> A regular user can "see" items in AD but will not be able to do anything such as
> modify/create objects with restricted permissions. You can set permissions on AD
> objects much like ntfs permissions however if a user does not have access to
> some objects, then they will not be able to change their password or have Group
> Policy applied to them. I would not restrict access to the domain container,
> domain controllers container, or the container/OU where their user account
> resides. You could for instance remove all their permissions from an OU that
> their account is not in, nor need access to anything in it. There is also a
> Group Policy setting under user configuration/administrative
> templates/desktop/active directory - hide active directory folder that may help
> restrict casual browsing of AD. --- Steve
>
>
> "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
> news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
> >
> > Once a user computer install "adminpak.msi" and joined a domain, And then he
> logon as domain user and run the "Active Directory Users and Groups" and other
> AD utilities, he could be able to view the AD contents such as all Servers, all
> Account Information, all Group Policies, ...?
> >
> > Other than restrict the users to install the adminpak.msi and use the AD
> utilties in his computer, how I could set in AD to restrict or disable the users
> to read the AD contents?
> >
> >
> >
>
>
>
- Next message: Ivan Tsui: "View whole AD with adminpak.msi"
- Previous message: Michael Fay: "Re: The user has not been granted the requested logon type."
- In reply to: Steven Umbach: "Re: How to disable the use of adminpak.msi?"
- Next in thread: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- Reply: Steven L Umbach: "Re: How to disable the use of adminpak.msi?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
