Hiding an OU from AD query

B

Blake

Best practices says you should create an admin-level ID for each domain
admin (rather than each admin using the same, shared ID).

Problem is, this ID shows up in a START - SEARCH FOR PEOPLE query. Is there
a quick/painless way to hide the Users OU from a desktop AD query run by a
standard Domain User?

Thanks
Blake
 
H

Herb Martin

Blake said:
Best practices says you should create an admin-level ID for each domain
admin (rather than each admin using the same, shared ID).

Problem is, this ID shows up in a START - SEARCH FOR PEOPLE query. Is
there a quick/painless way to hide the Users OU from a desktop AD query
run by a standard Domain User?
Click to expand...

Move those special users accounts to their own ID and only grant
READ to Admins? (Should work but I haven't gone and tested it.)
 
A

Andrei Ungureanu [MVP]

I did a couple of tests on a DC in a virtual machine and it seems that is
working (removed Auth Users, Pre Windows 2000 groups from the OU's ACL).

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Herb Martin said:
Blake said:
Best practices says you should create an admin-level ID for each domain
admin (rather than each admin using the same, shared ID).

Problem is, this ID shows up in a START - SEARCH FOR PEOPLE query. Is
there a quick/painless way to hide the Users OU from a desktop AD query
run by a standard Domain User?
Click to expand...

Move those special users accounts to their own ID and only grant
READ to Admins? (Should work but I haven't gone and tested it.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Blake
Click to expand...
Click to expand...
 
B

Blake

Cool

I'll try it

Blake

Andrei Ungureanu said:
I did a couple of tests on a DC in a virtual machine and it seems that is
working (removed Auth Users, Pre Windows 2000 groups from the OU's ACL).

--
Regards,
Andrei Ungureanu
www.eventid.net
Test our new EventReader!
http://www.altairtech.ca/eventreader/default2.asp?ref=au

Herb Martin said:
Blake said:
Best practices says you should create an admin-level ID for each domain
admin (rather than each admin using the same, shared ID).

Problem is, this ID shows up in a START - SEARCH FOR PEOPLE query. Is
there a quick/painless way to hide the Users OU from a desktop AD query
run by a standard Domain User?
Click to expand...

Move those special users accounts to their own ID and only grant
READ to Admins? (Should work but I haven't gone and tested it.)


--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]
Thanks
Blake
Click to expand...
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AD for Multi tenancy 0
OU level 3
OU vs Domain 5
Restoring an OU in AD 4
AD OU Objects and Replication Performance 5
2000 Domain Admin Best Practices 2
Weird AD Problem 1
Creating AD objects with VBScript 1

Top