Restrict view of AD

[Guest]

Hello

I have delegated control of an OU in AD to a specific group, and removed "Authenticated Users" rights from the other OUs. The problem is: when a user in the group that has been delegated control is modifying group membership, he/she is able to see all the other users in AD (in the "Select Users, Groups, Contacts, Computers" lookup window). Is there a way to control this?

 

[Andrew Mitchell]

Hello,

I have delegated control of an OU in AD to a specific group, and removed
"Authenticated Users" rights from the other OUs. The problem is: when
a user in the group that has been delegated control is modifying group
membership, he/she is able to see all the other users in AD (in the
"Select Users, Groups, Contacts, Computers" lookup window). Is there a
way to control this?

No. All users (whether delegated or not) have read rights to the entire
directory. Without these permissions the directory service could not operate.

Andy.

 

[Guest]

Then what is the point of having the "list contents" permission in the first place? Is there a way to filter the view? The "Select Users, Groups, Contacts and Computers" seems like a remnant of the old NT 4.0 architecture and is very inadequate. Are there third party tools available to accomplish this?

 

[Chriss3]

Jason you may want to use List object mode by change the dSHeuristics
attribute.

This VBScript code enables or disables list object mode for a forest.

' ---------------------------------------------------------------
' From the book "Active Directory Cookbook" by Robbie Allen
' Publisher: O'Reilly and Associates
' ISBN: 0-596-00466-4
' Book web site: http://rallenhome.com/books/adcookbook/code.html
' ---------------------------------------------------------------

' ------ SCRIPT CONFIGURATION ------
boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject( _
"LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _
& objRootDSE.Get("configurationNamingContext") )
strDSH = objDS.Get("dSHeuristics")
if len(strDSH) = 1 then
strDSH = strDSH & "0"
end if
strNewDSH = Left(strDSH,2) & boolEnableListObject
if len(strDSH) > 3 then
strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3)
end if

WScript.Echo "Old value: " & strDSH
WScript.Echo "New value: " & strNewDSH

if strDSH <> strNewDSH then
objDS.Put "dSHeuristics", strNewDSH
objDS.SetInfo
WScript.Echo "Successfully set list object mode to " & _
boolEnableListObject
else
WScript.Echo "List object mode already set to " & boolEnableListObject
end if


--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

Hello,

I have delegated control of an OU in AD to a specific group, and removed

"Authenticated Users" rights from the other OUs. The problem is: when a
user in the group that has been delegated control is modifying group
membership, he/she is able to see all the other users in AD (in the "Select
Users, Groups, Contacts, Computers" lookup window). Is there a way to
control this?

 

[Guest]

Thanks Chris

I get the error message

(16,1) Active Directrory: The Active Directory property can not be found in the cache

I used ADSI Edit to look for this property, but can't find it. Any suggestions

Jason

 

[Chriss3]

Jason you should find this attribute at CN=Directory Service.

CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration

More information can be found at the link below:
http://www.windowsitlibrary.com/Content/667/04/2.html

Feel free to post back if you need any more information.

 

[Guest]

Thanks Chris, I found it at

Configuration --> Services --> Windows NT --> Directory Servic

I have set the value to 1, but nothing changes... what does this property control? Does it require a reboot

Thanks

Jason

 

[Guest]

Sorry - just noticed your link. I'll read it

Thx

Jason

 

[Guest]

OK, I've read the article and made the attribute visible, but I still can't seem to accomplish the task. If I want make users in a specific OU invisible, how do I apply the list object permission? Should I be using "deny" on that permission? My domain container has the "Authenticated Users" receiving the "List Contents" permission... am I to understand that this permission will apply to all child objects even if the child OU does not inherit? Any sugestions are much appreciated..

Jason

 

[Chriss3]

You can remove the Authenticated Users group from the particular OU if you
want. that should prevent Authenticated Users from browse the content,.
--
Regards
Christoffer Andersson

No email replies please - reply in the newsgroup

OK, I've read the article and made the attribute visible, but I still

can't seem to accomplish the task. If I want make users in a specific OU
invisible, how do I apply the list object permission? Should I be using
"deny" on that permission? My domain container has the "Authenticated
Users" receiving the "List Contents" permission... am I to understand that
this permission will apply to all child objects even if the child OU does
not inherit? Any sugestions are much appreciated...