Re: Windows 2000 Active Directory reveals too much information.

From: Steven L Umbach (
Date: 11/14/04

Date: Sun, 14 Nov 2004 00:26:32 GMT

You can change permissions on Active Directory objects to not allow a user
to see the object. However the user must be able to see the domain
container, the container that their account is in, any objects allowed them
that they find by an AD search, and the domain controller container or else
the user may not be able to change their password or have Group Policy
applied to them. Other than that you should be able to modify permissions so
that an unauthorized user can not see the container or object. If you try to
change permissions be SURE to test first and back up your Active Directory
with a System State backup of a domain controller before proceeding so that
you have a rollback plan. --- Steve

"" <> wrote in message
>I installed the Windows 2000 Administration Pack on a desktop and launched
>it as a regular user (no admin rights on the domain), and I was able to see
>just about everything in Active Directory, like what groups exist, what the
>individual settings are for all users, groups, objects. Basically
>everything was visible, but actions such as reset password and create new
>user were not enabled.
> I looked at individual security settings for each user and seems like the
> group "Everyone" and "Authenticated Users" has Read access. I read up on
> Active Directory security and Microsoft says to keep the default settings.
> These are the default settings.
> So how do I make Active Directory not reveal so much information?