Re: Normal user can open Active Directory Users and Computers?

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

From: Eric D (siberia37_at_yahoo.com)
Date: 09/07/04 

Date: 7 Sep 2004 08:41:01 -0700

Jerold Schulman <Jerry@jsiinc.com> wrote in message news:<ahkhj0pmi28rfro6jmpfr064amd9l95t8b@4ax.com>...
> On 3 Sep 2004 08:03:45 -0700, siberia37@yahoo.com (Eric D) wrote:
>
> >So does it disturb anyone else that a normal user on your domain can
> >open Active Directory Users and Computers and get any information they
> >want includling list of groups, location of profiles etc.. Obviously
> >the users can't change anything put this is still disturbing to me,
> >especially being in a University environment where students are
> >members of our domain.
> >
> >Is there any way to limit this, or will limiting this "feature" screw
> >up other programs that depend on Active Directory? I know you can
> >limit the number of results returned in a query- will this keep users
> >from opening Active Directory Users and Computers and seeing
> >everything in the domain?
>
> You could secure MMC.EXE or and use group policy to prevent them from running
> it.
>

Sorry, this won't help for the simple reason that users could still
use ADSI Edit or another third-party user management tool (I'm sure
they are out there). This especially won't help in a University
environment where students have a username and password on the domain,
but use machines that are not members of the domain- and thus don't
have group policy restrictions placed on them.

Relevant Pages

  • Re: Filtering on a Security Group to Apply a Group policy
    ... an OU - I need to use the already created OU's to attach a new Group Policy ... to and make sure the Group Policy is only applied though to certain computers ... And I do this by creating a security group and adding the pc's ... break that are tied into Active Directory. ...
    (microsoft.public.windows.server.active_directory)
  • RE: Problem with Q320065 in 2003AD
    ... computers from your workstation, you have to be on the DC to get the local ... Our goal is to add all domain admins to all machines, ... You are returned to the group policy ... > only location that is available is the active directory mycompany.net. ...
    (microsoft.public.windows.group_policy)
  • Active Directory users and computers
    ... Im having trouble with the Active directory. ... shows no computers what so ever on the domain. ... "Group Policy Error" ... (Failed to open the Group Policy Object. ...
    (microsoft.public.backoffice.smallbiz2000)
  • Normal user can open Active Directory Users and Computers?
    ... So does it disturb anyone else that a normal user on your domain can ... open Active Directory Users and Computers and get any information they ... up other programs that depend on Active Directory? ...
    (microsoft.public.win2000.active_directory)
  • Re: W2K Group Policy Overriding Local Machine Rights
    ... in the Active Directory Users and ... Terminal Server user can do. ... The computers that I rebuilt are also ... When I move the user out of the Group Policy into "Users" in the Active ...
    (microsoft.public.win2000.security)