"Authenticated User"

D

Dandando

Hi! Dear All
We try to prevent user to view our OU structure so
remove the "authenticated User" from OU security list. but
this action will casuse GPO processing fail on client pc
which locate this OU. do you have any sloution for that?

/Dan
 
A

Arild Bakken

Dandando said:
Hi! Dear All
We try to prevent user to view our OU structure so
remove the "authenticated User" from OU security list. but
this action will casuse GPO processing fail on client pc
which locate this OU. do you have any sloution for that?

/Dan
Click to expand...

In order to process GPOs the users must have "Read and Apply GPO" rights on
the GPO.

In addition they need to have "Read" access on the OU(s) where the GPO is
linked in order to read which GPOs they should get (in theory they should
only need read on the gPLink and gPOptions attributes, but never tested
that). And in order to read the properties of that OU they also need "List
Object" on the parent of that OU (if AD is configured for List Object access
mode).

There is no way to completely disable browsing the AD structure since they
need some access in order to read information about themselves. But you can
lock it down pretty much. We've also found that the users need "Read" on the
domain object, and read on the User and/or Builtin and Domain Controllers
objects in order to be able to change password, and for the %username%
environmentvariable and the WinNT provider in ADSI to work properly.


Arild
 
B

Buz [MSFT]

Hello Dan,

Another thing you can try is take away the LIST right from the authenticated
users group on the root of Sysvol, this may actually work, test first! Could
mark the policy GUID folders as hidden as well but if they have "Show
Hidden" it would be pointless.

Buz Brodin
MCSE NT4 / Win2K
Microsoft Enterprise Domain Support

Get Secure! - www.microsoft.com/security

This posting is provided "as is" with no warranties and confers no rights.

Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

GPO IE Zone Mapping issue on TS 2
Loopback Processing with Security Groups (No separate OU) 1
Exclude some users and computers form logout script 2
Do Not Execute Group Policy for Admins Group 1
Applying GPO to an OU 1
Some parts of Windows 2008 GPO not applied for some users 1
gp map network drives 2
Help needed with W2K3 Group Policy not being applied at user logon 11

Top