S
Steve Kunz \(Iowa State University\)
Question: Windows Active Directory. How do you hide the
membership of a Security Group to all but a few. The
name of the group itself should be visible - but the
membership should be hidden to all but people explicitly
allowed to view it. Even the members of the group should
not be able to view the membership.
One reply to this question I have received:
"Set a Deny for Read Members on the group Authenticated
Users on the OU ACL where the group resides. Then remove
the explicit ACL for AU on the security group and then
give read access to whatever group or user you want to
allow view membership. This will allow the inherited deny
to deny everyone except the explicit allows that you add
to the security group."
Using these techniques I have successfully created a
container to put the groups in, tweeked the container
ACLs, created a group, and tweeked the group ACLs. I can
now hide the membership of the security group from people
who are NOT members of the group. However, members of
the group can see all the other members of groups they
belong to.
Does this sound like the way it must work? Is this a
limitation in Windows AD? Ideally, I really need the
membership to be hidden from all except the domain admins
(or other explict people).
---
Steven L. Kunz
Windows 2000 Enterprise Administration
Office of Academic Information Technologies
Iowa State University, Ames, Iowa (USA)
Email: (e-mail address removed)
membership of a Security Group to all but a few. The
name of the group itself should be visible - but the
membership should be hidden to all but people explicitly
allowed to view it. Even the members of the group should
not be able to view the membership.
One reply to this question I have received:
"Set a Deny for Read Members on the group Authenticated
Users on the OU ACL where the group resides. Then remove
the explicit ACL for AU on the security group and then
give read access to whatever group or user you want to
allow view membership. This will allow the inherited deny
to deny everyone except the explicit allows that you add
to the security group."
Using these techniques I have successfully created a
container to put the groups in, tweeked the container
ACLs, created a group, and tweeked the group ACLs. I can
now hide the membership of the security group from people
who are NOT members of the group. However, members of
the group can see all the other members of groups they
belong to.
Does this sound like the way it must work? Is this a
limitation in Windows AD? Ideally, I really need the
membership to be hidden from all except the domain admins
(or other explict people).
---
Steven L. Kunz
Windows 2000 Enterprise Administration
Office of Academic Information Technologies
Iowa State University, Ames, Iowa (USA)
Email: (e-mail address removed)