Re: restrict read access
From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 07/13/04
- Next message: C Hall: "Re: REPOST: Gaining Time"
- Previous message: Jerold Schulman: "Re: Locking down workstations using Group Policy"
- In reply to: ano: "restrict read access"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 13 Jul 2004 09:41:44 -0400
This isn't going to be the most fun.
One method would be to place all users you don't want the program to enumerate
in an OU branch and then on that branch add a DENY Read Property to the userID.
The dsacls command would look like this
dsacls OU=somesubou,OU=someou,DC=domain,DC=com /I:S /D domain\user:RP
It would probably be better though to assign the permission to a group and add
the user to the group in case there were other programs you wanted to do this
with so instead do this
dsacls OU=somesubou,OU=someou,DC=domain,DC=com /I:S /D domain\group:RP
Once this is done, unless there is an EXPLICIT ACE on the user object for the ID
to add permissions back, you will get an access denied when trying to enumerate
the specific user ids in that OU and a complete domain enumeration would miss
them entirely.
joe
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net ano wrote: > Hi folks, > > we have an ad-domain with an nt4-domain. in this domain is > an (very) old app that reads all accounts (with an service- > account) and stores in an interna database. > > we would like to restrict that to an special OU. But how??? > > we set the permissions for the service-account to "full > control = deny", but it did'nt work. we have still all > domain-accounts in the db. the service-account still reads > all ad-objects. > > any idea how to restict that? > > thanks...
- Next message: C Hall: "Re: REPOST: Gaining Time"
- Previous message: Jerold Schulman: "Re: Locking down workstations using Group Policy"
- In reply to: ano: "restrict read access"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
