Announcement

Collapse
No announcement yet.

limit any user from query ad objects

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • limit any user from query ad objects

    Hello,

    right now on my 2003 AD environment, any user can use dsquery and query the ad for objects.

    Is there a way to not allow regular domain users to query ad objects?

    It would be cool if they can still query printers, but if that is too hard to seperate out, then it's fine because I can manually map the printers for them.

    but I rather not have ppl have the ability to just query the ad for any info (like username, or phone numbers, etc..)

    thanks in advance guys,

  • #2
    Re: limit any user from query ad objects

    I dont think it's possible as I believe all users have read access to all objects is AD.

    You could just use GP to block dsquery type commands for all authenticated users and block inheritance for your domain admins.

    Actually, I was just thinking if you block a .exe via GP can you still run it via a cmd line - something I have never tried

    Michael
    Michael Armstrong
    www.m80arm.co.uk
    MCITP: EA, MCTS, MCSE 2003, MCSA 2003: Messaging, CCA, VCP 3.5, 4, 5, VCAP5-DCD, VCAP5-DCA, ITIL, MCP, PGP Certified Technician

    ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

    Comment


    • #3
      Re: limit any user from query ad objects

      thanks for the reply.

      Hmm, I guess I can just block dsquery...but there's just so many different ways to get at AD info (if not dsquery, there's vb scripts, csvde, etc..).

      I guess i'll just have to live with having users having read access to all ad objects.

      Comment


      • #4
        Re: limit any user from query ad objects

        Originally posted by mrfreezy
        thanks for the reply.

        Hmm, I guess I can just block dsquery...but there's just so many different ways to get at AD info (if not dsquery, there's vb scripts, csvde, etc..).

        I guess i'll just have to live with having users having read access to all ad objects.
        You do not have to. You can control what attributes the Authenticated Users are allowed to read - this is done by adjusting the Default Security Descriptor of the User object class in the schema and by editing the ACLs of the user account objects that already exist.

        What attributes do you want to hide ?
        Guy Teverovsky
        "Smith & Wesson - the original point and click interface"

        Comment


        • #5
          Re: limit any user from query ad objects

          thanks for replying GuyT,

          I would like to hide:

          username, first name, last name, MI

          Comment


          • #6
            Re: limit any user from query ad objects

            Originally posted by mrfreezy
            thanks for replying GuyT,

            I would like to hide:

            username, first name, last name, MI
            Why would you want to do that ???

            Those are attributes that are used by almost ANY AD aware application and should not be hidden. What is the reason behind hiding user names ?
            Guy Teverovsky
            "Smith & Wesson - the original point and click interface"

            Comment

            Working...
            X