Domain Users with 2003 adminpak can see AD!

[klose]

If a regular domain user, installs the 2003 adminpak, they can browse the
ADUC containers.

a) Why is this not locked down to at least a domain administrator or some
other group?

I am aware of the GP that can lock down the various tools, and the
customization of the mmc window, but can not control it from the default
tool within the administrator tools console.

b) After you grant use of the ADUC tool to certain members, they can see
EVERYTHING.
The default permissions on the ADUC objects allows Authenticated Users at
least RO rights on the Builtin, computers, ForeignSecurity Principles...etc
folders.
Can these rights be changed without affecting other system/domain needs?


My goal is to deploy minimal tools to remote office administrators, I have
already used asdi edit and delegation wizard to effect limitations....but
they still see way to much.

 

[Paul Adare - MVP - Microsoft Virtual PC]

If a regular domain user, installs the 2003 adminpak, they can browse the
ADUC containers.

a) Why is this not locked down to at least a domain administrator or some
other group?

They don't need the Adminpak to browse the AD. Authenticated users need
at least read access to the directory, which is what they get when using
the Adminpak tools, or any other tool for that matter.

I am aware of the GP that can lock down the various tools, and the
customization of the mmc window, but can not control it from the default
tool within the administrator tools console.

See above, having the tool doesn't matter. They can't do anything but
look.

b) After you grant use of the ADUC tool to certain members, they can see
EVERYTHING.
The default permissions on the ADUC objects allows Authenticated Users at
least RO rights on the Builtin, computers, ForeignSecurity Principles...etc
folders.
Can these rights be changed without affecting other system/domain needs?
Nope.



My goal is to deploy minimal tools to remote office administrators, I have
already used asdi edit and delegation wizard to effect limitations....but
they still see way to much.

Nature of an LDAP directory.

 

[klose]

Thanks for the feedback...

Can you eloborate more on b)

I had experimented, by deselecting read only rights on some of the
containers mentioned.
My tests show that it does indeed hide the folder from prying eyes.
However, I don't know if that will cause problems elsewhere.

Why would a authenticated user need Read access to, lets say, the empty
Computer container, or a OU created to manage users/computers?

txks
Tom

 

[Steven L Umbach]

As Paul said, this is SOP. A domain user can go to My Network Places and browse or
search Active Directory. All AD objects have permissions to them somewhat like ntfs
folders do. You can remove everyone/users from an object [and replace with authorized
groups] and they will not be able to see it and this may be desirable for shares,
printers, or even an OU as long as the user does not exist in that container nor need
to access objects in that container via AD. However if you try that be very careful
as I believe a user needs read permissions to at least the domain controller
container, the domain container, any OU that they may be in, and their user account
or they will not be able to change their password and Group Policy user configuration
will not apply to them. --- Steve