Re: Windows 2000 Active Directory reveals too much information.

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 11/14/04


Date: Sun, 14 Nov 2004 00:26:32 GMT

You can change permissions on Active Directory objects to not allow a user
to see the object. However the user must be able to see the domain
container, the container that their account is in, any objects allowed them
that they find by an AD search, and the domain controller container or else
the user may not be able to change their password or have Group Policy
applied to them. Other than that you should be able to modify permissions so
that an unauthorized user can not see the container or object. If you try to
change permissions be SURE to test first and back up your Active Directory
with a System State backup of a domain controller before proceeding so that
you have a rollback plan. --- Steve

"news.tamu.edu" <andrerojde2004@gmail.com> wrote in message
news:cn025b$1uf$1@news.tamu.edu...
>I installed the Windows 2000 Administration Pack on a desktop and launched
>it as a regular user (no admin rights on the domain), and I was able to see
>just about everything in Active Directory, like what groups exist, what the
>individual settings are for all users, groups, objects. Basically
>everything was visible, but actions such as reset password and create new
>user were not enabled.
>
> I looked at individual security settings for each user and seems like the
> group "Everyone" and "Authenticated Users" has Read access. I read up on
> Active Directory security and Microsoft says to keep the default settings.
> These are the default settings.
>
> So how do I make Active Directory not reveal so much information?
>



Relevant Pages

  • Re: Missing names in the Global Address Book
    ... settings. ... > moved the users to a different container in the Active Directory, ... > Please do not send email directly to this alias. ...
    (microsoft.public.exchange2000.general)
  • Re: NTFRS Subscriptions in LostAndFound Container
    ... This container is used to house Active Directory objects that are orphaned with the directory or conflict resolution problem, for example more than one object with the same UPN logon created in different sites/DCs at same time. ... "Jorge Silva" wrote in message ...
    (microsoft.public.windows.server.active_directory)
  • Re: URGENT - ForestPrep Fails when installing Exchange 2003 - Please H
    ... > of problems managing any of the active directory areas of Exchange 2003. ... > Container Children)::ScPrepareForFileCopy ... > Entering CBaseServiceAtom(Microsoft Windows Active Directory ... > Entering CBaseAtom(Microsoft Windows Active Directory schema ...
    (microsoft.public.exchange.setup)
  • Re: After W2k SP4 installation Active Directory not accessible
    ... Neither of the registry settings you mentioned have been ... been added to any of the XP machines. ... messages in the system log for the DCHP Server he had me ... Controller and using Active Directory. ...
    (microsoft.public.win2000.active_directory)
  • Re: Changing a users name in Active Directory
    ... login name, and by clicking on the Exchange tab you should be able to change ... I would additionally suggest setting up another mailbox with the user's old ... don't forget to change her account settings within ... If you're not using active directory, similar changes will have to be made ...
    (microsoft.public.windows.server.active_directory)