Hide group membership?

A

A.J. Fried

I have a group that I would like to temporarily disable without actually
deleting it. I'm trying to find out what (if anything) it's used for so my
thought it to disable or hide it somehow so that members don't "know" that
they are members and so they wont get whatever permissions are normally
afforded via membership in that group.

I have played with the permissions on the group object in AD but it doesn't
seem to work.

Specifically, I set authenticated users to deny read on the group object in
AD. However, members still "know" they are members - eg - if I log in as a
member of the group and run GPResult.exe it still tells me that I am a
member.

Is there a way to do this? Am I thinking about this correctly?

TIA.

--> A.J. Fried
 
C

Chriss3

No since Member Of attribute are located at the user class. You should then
remove read rights for the self object at the attribute member of, but you
can't just hide one group. I'm not 100% sure here but I think this should be
the case.
 
S

Stefan Buchman

The users themselves are not checking to see if they are members of the
group it would be the remote system (File Server, Web Server, etc...)
that would be checking that users access if using NTLM otherwise it
would be the Domain Controller if using Kerberos V5.

Either way the user is never responsible for checking it's own group
memebership so you would not be able to deny access to the KDC / LSA to
read this group.

- Stefan
 
A

A.J. Fried

I think I follow (though I didn't follow what you said about the self
object)
, but I guess I don't like the answer.

If I delete a group, members know that they are no longer members ...
the indidual "member of" properties sitting in all of the former
member object don't get orphaned, right? So I would think there's
something I could do to the group to make the members think it doesn't
exist (ie remove enough rights so as to make the group "invisible")
 
C

Chriss3

You can always make the object in question invisible by turn AD into List
object Mode. How ever you can't make the member ship invisible for queries
etc.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

URGENT HELP PLEASE! Problems with AD Permissions 2
Denying Changes to Group Membership 2
Hiding Membership of Global Security Groups 1
LDIFDE export group membership with sAMAccountName 4
Group Policy Problem 3
Bulk group membership removal. 6
Counting multiple memberships 1
export group memebership 3

Top