Normal user can open Active Directory Users and Computers?

[Eric D]

So does it disturb anyone else that a normal user on your domain can
open Active Directory Users and Computers and get any information they
want includling list of groups, location of profiles etc.. Obviously
the users can't change anything put this is still disturbing to me,
especially being in a University environment where students are
members of our domain.

Is there any way to limit this, or will limiting this "feature" screw
up other programs that depend on Active Directory? I know you can
limit the number of results returned in a query- will this keep users
from opening Active Directory Users and Computers and seeing
everything in the domain?

 

[Jerold Schulman]

So does it disturb anyone else that a normal user on your domain can
open Active Directory Users and Computers and get any information they
want includling list of groups, location of profiles etc.. Obviously
the users can't change anything put this is still disturbing to me,
especially being in a University environment where students are
members of our domain.

Is there any way to limit this, or will limiting this "feature" screw
up other programs that depend on Active Directory? I know you can
limit the number of results returned in a query- will this keep users
from opening Active Directory Users and Computers and seeing
everything in the domain?

You could secure MMC.EXE or and use group policy to prevent them from running
it.



Jerold Schulman
Windows: General MVP
JSI, Inc.
http://www.jsiinc.com

 

[Eric D]

You could secure MMC.EXE or and use group policy to prevent them from running
it.

Sorry, this won't help for the simple reason that users could still
use ADSI Edit or another third-party user management tool (I'm sure
they are out there). This especially won't help in a University
environment where students have a username and password on the domain,
but use machines that are not members of the domain- and thus don't
have group policy restrictions placed on them.