Re: Search Global Catalog for specific domains only

From: Joe Richards [MVP] (humorexpress_at_hotmail.com)
Date: 09/11/04 

Date: Sat, 11 Sep 2004 10:40:37 -0400

Note that this will be tougher than a simple inherited deny as many objects get
explicit grants. Every explicit grant (to everyone or to Pre_W2K access if
enabled or to auth users, etc) will have to be overridden with an explicit deny. 

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net
Herb Martin wrote:
> "Mikael" <Mikael@discussions.microsoft.com> wrote in message
> news:464E7C30-AE45-44B2-9136-CEE968430BED@microsoft.com...
> 
>>Hello!
>>
>>I have a third-party application that connects to Global Catalog and
> 
> display
> 
>>various user information.
>>
>>It searches all sub domains in Global Catalog. One of these sub domains is
> 
> a
> 
>>test domain, with a lot of fake test users.
>>
>>How can I limit the search results without moving this specific sub domain
>>to another root domain?
>>
>>As I can't change the application, I thought that it might be possible to
>>configure some Deny security settings for this sub domain. The application
>>uses a named user to connect. I have tried to Deny read access to the sub
>>domain, but that doesn't affect searches in Global Catalog. But it must be
>>possible, right....?
> 
> 
> IN principle you can create a Group and DENY that group
> access through the test domain -- then place the user (directly
> or through another group) within that group with DENIED
> access.
> 
> Be sure to create a new group for this so it is easy to add/remove
> both it and to change the contents as necessary.
>