Re: Hide group membership?
From: Stefan Buchman (stefan2002b_at_yahoo.com)
Date: 04/23/04
- Next message: Chriss3: "Re: second dc on a windows 2000 environment"
- Previous message: John Woodward: "Client Machine Account replication delays"
- In reply to: A.J. Fried: "Hide group membership?"
- Messages sorted by: [ date ] [ thread ]
Date: Fri, 23 Apr 2004 12:54:27 -0400
The users themselves are not checking to see if they are members of the
group it would be the remote system (File Server, Web Server, etc...)
that would be checking that users access if using NTLM otherwise it
would be the Domain Controller if using Kerberos V5.
Either way the user is never responsible for checking it's own group
memebership so you would not be able to deny access to the KDC / LSA to
read this group.
- Stefan
A.J. Fried wrote:
> I have a group that I would like to temporarily disable without actually
> deleting it. I'm trying to find out what (if anything) it's used for so my
> thought it to disable or hide it somehow so that members don't "know" that
> they are members and so they wont get whatever permissions are normally
> afforded via membership in that group.
>
> I have played with the permissions on the group object in AD but it doesn't
> seem to work.
>
> Specifically, I set authenticated users to deny read on the group object in
> AD. However, members still "know" they are members - eg - if I log in as a
> member of the group and run GPResult.exe it still tells me that I am a
> member.
>
> Is there a way to do this? Am I thinking about this correctly?
>
> TIA.
>
> --> A.J. Fried
- Next message: Chriss3: "Re: second dc on a windows 2000 environment"
- Previous message: John Woodward: "Client Machine Account replication delays"
- In reply to: A.J. Fried: "Hide group membership?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
