Announcement

Collapse
No announcement yet.

Users Container Security

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Users Container Security

    Has anyone heard of removing inheritance and locking down the users container in AD as a security Best Practice? If so do you know of a link explaining the why?

    I've not heard of doing this as a best practice.
    Technology is only as good as those who use it

    My tech blog - wiredtek.wordpress.com

  • #2
    Re: Users Container Security

    The users and computers container are legacy objects. Those containers behave different than other containers.

    http://support.microsoft.com/kb/324949

    My best practise is to not use those containers.
    gerth

    MCITP sa, ea & va, [email protected]

    Comment


    • #3
      Re: Users Container Security

      It's a container - they don't have the same capabilities as an OU.
      like Gerth said, it's best practice not to use tehm (plus, GPOs won't apply, for starters
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Users Container Security

        I haven't heard of the need to lock it down because non-administrators don't and shouldn't have access to it by default.

        Comment


        • #5
          Re: Users Container Security

          Originally posted by tehcamel View Post
          GPOs won't apply
          You can't link GPOs to a container. However GPOs linked to an ancestor of the container (such as the domain) will apply to objects within the container.
          Gareth Howells

          BSc (Hons), MBCS, MCP, MCDST, ICCE

          Any advice is given in good faith and without warranty.

          Please give reputation points if somebody has helped you.

          "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

          "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

          Comment


          • #6
            Re: Users Container Security

            I understand this, but i'm putting in exchange in a client environment... and the discoverysearch automatically goes there and they have it locked down so trying to do some things are not working properly. I am going to have them move it to an OU and see what happens.

            But they stated they do it because it is best practice to lock down the container as it contains protected accounts. And i've never heard of this practice so I wanted to see if it was an actual best practice or something they came up with on their own.
            Technology is only as good as those who use it

            My tech blog - wiredtek.wordpress.com

            Comment


            • #7
              Re: Users Container Security

              Who is "they" in this context?
              I have always thought of the users and computers containers purely as a way of tidying up ADUC -- as stated, they cannot have policies applied to them -- they pick up domain level policies only.
              Tom Jones
              MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
              PhD, MSc, FIAP, MIITT
              IT Trainer / Consultant
              Ossian Ltd
              Scotland

              ** Remember to give credit where credit is due and leave reputation points where appropriate **

              Comment


              • #8
                Re: Users Container Security

                Ask them to provide a reference to backup their claims.

                It's true that these containers are somewhat "legacy". I've never heard of any security implications with using them. From memory, because of the limited control you can have over them in terms of Group Policy, Microsoft actively recommend that you aim to move all users out of the Users container. Keep in mind that some applications may only look in this default container for user accounts or other objects and may not function correctly if they are unable to access them.
                Gareth Howells

                BSc (Hons), MBCS, MCP, MCDST, ICCE

                Any advice is given in good faith and without warranty.

                Please give reputation points if somebody has helped you.

                "For by now I could have stretched out my hand and struck you and your people with a plague that would have wiped you off the Earth." (Exodus 9:15) - I could kill you with my thumb.

                "Everything that lives and moves will be food for you." (Genesis 9:3) - For every animal you don't eat, I'm going to eat three.

                Comment


                • #9
                  Re: Users Container Security

                  they = my client

                  I had just never heard of doing this, especially considering elevated accounts are protected by the AdminSDHolder anyway.

                  Just wanted to see if there was any validity to their claim before pursuiing that they make it right. As ultimately I'm responsible for the end product as their consultant.
                  Technology is only as good as those who use it

                  My tech blog - wiredtek.wordpress.com

                  Comment

                  Working...
                  X