Restrict Access to AD snap-in

[Guest]

Hello,

I am running a Windows 2000 Active Directory and would like to know if there
is a way to restrict users from installing Active Directory Users & Computers
and viewing the Active Directory from that tool. We are running Exchange
2000 as well so I don't know if I change any of the default permissions on AD
will that affect the GAL and other lookup functions. I don't feel
comfortable with it, but is there any real danger that any authenticated user
can just install ADUC and browse the full Active Directory (even tho they
cannot write to it)?

I have searched as much as I think I can but have not come up with a
discussion or white paper that clearly addresses my questions. Any
information you could provide would be much appreciated!

THanks!

 

[ptwilliams]

Yes, make the users members of the users group, not domain admins or local
power users.

Standard users cannot install software.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

"osubuckeye98" <osubuckeye98 at gmail-dot-com (no spam reformat)> wrote in
message Hello,

I am running a Windows 2000 Active Directory and would like to know if there
is a way to restrict users from installing Active Directory Users &
Computers
and viewing the Active Directory from that tool. We are running Exchange
2000 as well so I don't know if I change any of the default permissions on
AD
will that affect the GAL and other lookup functions. I don't feel
comfortable with it, but is there any real danger that any authenticated
user
can just install ADUC and browse the full Active Directory (even tho they
cannot write to it)?

I have searched as much as I think I can but have not come up with a
discussion or white paper that clearly addresses my questions. Any
information you could provide would be much appreciated!

THanks!

 

[Guest]

Hello Paul,

Thanks for your prompt reply. Since the users I speak of are local admins
on their computers, is there a way to restrict permissions in AD so they
cannot view AD even if they have ADUC installed or would that totally destroy
everything that's been built? If I simply remove read access for
Authenticated Users will that solve the problem or create more?

THanks again for your help!
Helios

 

[lforbes]

Hi,

I am running a Windows 2000 Active Directory and would like to know if
there is a way to restrict users from installing Active Directory
Users & Computers and viewing the Active Directory from that tool.

You can restrict access using Group Policy. It is located in Admin
Templates, Windows Components, Microsoft Management Console,
Restricted/Permitted Snapins.

Cheers,

Lara

PS. It works because I have had to remove the policy for users that
needed access to AD.

 

[ptwilliams]

True, but there's lots of other ways of accessing the directory, e.g.
ADSIEdit, LDP, VBScript, etc.

You can remove the right to modify, read, etc.

However, I would recommend you create a new group, add those users to that
group and use deny permissions for this group only. Once you've created the
group, test using an OU. If you get the desired results apply the
permissions further up the tree. I've had mixed results with ad-hoc
permissions changes -I would test everything first.

I wouldn't remove the authenticated users permission without lots of testing
first.

--

Paul Williams

http://www.msresource.net/
http://forums.msresource.net/

 

[Gary Simmons]

I'd go for the permitted snapins, if users are installing other LDAP
viewers then you've got other probs...

I wouldnt modify the Authenticated users rights at the root or put in
a Deny either, both will break AD and MS will prob not support you
with that type of cfg..

Cheers
Gary Simmons

(e-mail address removed)

 

[Guest]

It sounds like restricting installation/access to the ADUC snap-in with
Administrative Templates is the safer route. I wonder, if they have it
installed already and I implement that policy, would it remove/hide the
snap-in when they attempt to use it?

Thanks for everyone's helpful suggestions!

Kind Regards,
Helios