Windows 2000 Active Directory reveals too much information.

[news.tamu.edu]

I installed the Windows 2000 Administration Pack on a desktop and launched
it as a regular user (no admin rights on the domain), and I was able to see
just about everything in Active Directory, like what groups exist, what the
individual settings are for all users, groups, objects. Basically
everything was visible, but actions such as reset password and create new
user were not enabled.

I looked at individual security settings for each user and seems like the
group "Everyone" and "Authenticated Users" has Read access. I read up on
Active Directory security and Microsoft says to keep the default settings.
These are the default settings.

So how do I make Active Directory not reveal so much information?

 

[Steven L Umbach]

You can change permissions on Active Directory objects to not allow a user
to see the object. However the user must be able to see the domain
container, the container that their account is in, any objects allowed them
that they find by an AD search, and the domain controller container or else
the user may not be able to change their password or have Group Policy
applied to them. Other than that you should be able to modify permissions so
that an unauthorized user can not see the container or object. If you try to
change permissions be SURE to test first and back up your Active Directory
with a System State backup of a domain controller before proceeding so that
you have a rollback plan. --- Steve