Re: Re: Restrict Access to AD snap-in

From: ptwilliams (ptw2001_at_hotmail.com)
Date: 01/05/05 

Date: Wed, 5 Jan 2005 07:43:04 -0000

True, but there's lots of other ways of accessing the directory, e.g.
ADSIEdit, LDP, VBScript, etc.

You can remove the right to modify, read, etc.

However, I would recommend you create a new group, add those users to that
group and use deny permissions for this group only. Once you've created the
group, test using an OU. If you get the desired results apply the
permissions further up the tree. I've had mixed results with ad-hoc
permissions changes -I would test everything first.

I wouldn't remove the authenticated users permission without lots of testing
first. 

-- 
Paul Williams
http://www.msresource.net/
http://forums.msresource.net/
"lforbes" <UseLinkToEmail@WindowsForumz.com> wrote in message 
news:41db35a0$1_1@alt.athenanews.com...
> Hi,
>
> > I am running a Windows 2000 Active Directory and would like to know
> if
> > there is a way to restrict users from installing Active Directory
> > Users & Computers and viewing the Active Directory from that tool.
>
> You can restrict access using Group Policy.  It is located in Admin
> Templates, Windows Components, Microsoft Management Console,
> Restricted/Permitted Snapins.
>
> Cheers,
>
> Lara
>
> PS. It works because I have had to remove the policy for users that
> needed access to AD.
>
> -- 
> Posted using the http://www.WindowsForumz.com/ interface, at author's 
> request
> Articles individually checked for conformance to usenet standards
> Topic URL: 
> http://www.WindowsForumz.com/Active-Directory-Restrict-Access-AD-snap-ftopict245833.html
> Visit Topic URL to contact author (reg. req'd).  Report abuse: 
> http://www.WindowsForumz.com/eform.php?p=750647

Relevant Pages

  • Re: How to disable the use of adminpak.msi?
    ... modify/create objects with restricted permissions. ... You can set permissions on AD ... I would not restrict access to the domain container, ... templates/desktop/active directory - hide active directory folder that may help ...
    (microsoft.public.win2000.security)
  • Re: Cant assign calendar permissions to a group
    ... to be able to use a security group so that I can manage membership of ... By testing I have verified that a resource calendar's permissions can ... integral concept within Active Directory. ... Only individual users can be granted membership. ...
    (microsoft.public.exchange.admin)
  • Re: Sharepoint Security - Help!!!!!
    ... When they did the migration from one server to another it went from Standard ... differnt sharepoint document libraries that we have in our internal company ... permissions as to who could look in them. ... > How can I restrict access and double check that it isn't some other option. ...
    (microsoft.public.windows.server.sbs)
  • Re: Assigning members to Security Global Groups
    ... On the OU that the groups and users exist, you can delegate these permissions to a junior admin to do a variety of tasks, without them having additional permissions elsewhere in the domain. ... Best Practices for Delegating Active Directory Administration ...Dec 5, ... Administrative responsibilities for delegating Active Directory management are divided between: Service owners, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Security User access question
    ... >> I am not even sure if Active Directory can provide this ... >it could be done with vbscript. ... >permissions, what permissions they have and, in the case ... >enumerate the group membership to find out the users. ...
    (microsoft.public.security)