restrict read access

A

ano

Hi folks,

we have an ad-domain with an nt4-domain. in this domain is
an (very) old app that reads all accounts (with an service-
account) and stores in an interna database.

we would like to restrict that to an special OU. But how???

we set the permissions for the service-account to "full
control = deny", but it did'nt work. we have still all
domain-accounts in the db. the service-account still reads
all ad-objects.

any idea how to restict that?

thanks...
 
P

Paul Bergson

You seemed to have posted conflicting information. You can't have one
domain inside of another. What ou did you deny?

It would be best if you repost this with additional details and a more
accurate description of the network.
 
J

Joe Richards [MVP]

This isn't going to be the most fun.

One method would be to place all users you don't want the program to enumerate
in an OU branch and then on that branch add a DENY Read Property to the userID.

The dsacls command would look like this

dsacls OU=somesubou,OU=someou,DC=domain,DC=com /I:S /D domain\user:RP


It would probably be better though to assign the permission to a group and add
the user to the group in case there were other programs you wanted to do this
with so instead do this


dsacls OU=somesubou,OU=someou,DC=domain,DC=com /I:S /D domain\group:RP


Once this is done, unless there is an EXPLICIT ACE on the user object for the ID
to add permissions back, you will get an access denied when trying to enumerate
the specific user ids in that OU and a complete domain enumeration would miss
them entirely.

joe
 
G

Guest

Hi Paul,

Sorry:
of cause we have an 2003-Ad and an old nt4-domain with
trusts and all the things...

We have an ad-account used in the nt4-domain by an
application. We try to restrict the app (using the ad-
account) just to read _one_ OU-branch and not all accounts
from the ad.
We used the security settings (mmc) to deny full control
on all other OUs. It did'nt work.
The app read all objects.
 
P

Paul Bergson

Have you checked one of the objects that you want to restricts security?
Check to see if the objects are inheriting the parent ou's security.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD for Multi tenancy 0
IPad Multiple Users 0
Prevent some Domain Admin Account from creating USERS, Groups, OUs 2
Deny Permissions not effective on child OUs 6
adding computers to a domain 1
Domain admin error 1
Problems to Add users to group 3
Adding NT4 BDC back into AD 3

Top