How to disable the use of adminpak.msi?

[Guest]

Once a user computer install "adminpak.msi" and joined a domain, And then he logon as domain user and run the "Active Directory Users and Groups" and other AD utilities, he could be able to view the AD contents such as all Servers, all Account Information, all Group Policies, ...?

Other than restrict the users to install the adminpak.msi and use the AD utilties in his computer, how I could set in AD to restrict or disable the users to read the AD contents?

 

[David Cross [MS]]

You can always set ACLs on objects that you don't want the user to see in
AD. But be careful as users likely do need to see some level of information
in AD, otherwise applications and services won't work.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

Once a user computer install "adminpak.msi" and joined a domain, And then

he logon as domain user and run the "Active Directory Users and Groups" and
other AD utilities, he could be able to view the AD contents such as all
Servers, all Account Information, all Group Policies, ...?

Other than restrict the users to install the adminpak.msi and use the AD

utilties in his computer, how I could set in AD to restrict or disable the
users to read the AD contents?

 

[Steven Umbach]

A regular user can "see" items in AD but will not be able to do anything such as
modify/create objects with restricted permissions. You can set permissions on AD
objects much like ntfs permissions however if a user does not have access to
some objects, then they will not be able to change their password or have Group
Policy applied to them. I would not restrict access to the domain container,
domain controllers container, or the container/OU where their user account
resides. You could for instance remove all their permissions from an OU that
their account is not in, nor need access to anything in it. There is also a
Group Policy setting under user configuration/administrative
templates/desktop/active directory - hide active directory folder that may help
restrict casual browsing of AD. --- Steve

Once a user computer install "adminpak.msi" and joined a domain, And then he

logon as domain user and run the "Active Directory Users and Groups" and other
AD utilities, he could be able to view the AD contents such as all Servers, all
Account Information, all Group Policies, ...?

Other than restrict the users to install the adminpak.msi and use the AD

utilties in his computer, how I could set in AD to restrict or disable the users
to read the AD contents?

 

[Guest]

If there is a security loophole in AD? If a user know which users belonged to Domain Admins or Administrators, he could try to just hack the password for those Administrators to be able to get full access rights. In addition, he also know whole domain information, such as user personal information, group policies applied to different groups, OUs, which server is domain controllers, ..., etc.

Why a normal domain users could access to AD tree?

 

[Steven L Umbach]

I don't consider it a security loophole. AD is supposed to be available for users to
find resources which may include who the administrators are. If you don't want
someone to see the administrators in AD then put the admin accounts in their own OU
and do not give users/everyone any permissions to that OU and they will not be able
to see them. Also administrators and all users need to use complex passwords and any
administrator that cares about security would have auditing of account logon events,
logon events, and account management enabled and have an account lockout policy that
has a lockout threshold of no less than ten bad attempts. It would be very obvious
when a user on the lan would be trying to hack an administrators account which would
get that user fired and escorted to the door by security in most businesses. ---
Steve

If there is a security loophole in AD? If a user know which users belonged to

Domain Admins or Administrators, he could try to just hack the password for those
Administrators to be able to get full access rights. In addition, he also know
whole domain information, such as user personal information, group policies applied
to different groups, OUs, which server is domain controllers, ..., etc.