Re: Prevent Domain Users from Browsing Active Directory OUs

Tech-Archive recommends: Fix windows errors by optimizing your registry

From: Ehab (ehabmm_at_yalla.com)
Date: 05/27/04 

Date: 27 May 2004 04:33:42 -0700

Because i work in a university and i dont want students to have access
to computer names and user accounts for staff and etc....
it can cause many problems if misused.

the questions is: is removing the read access from all OU's including
the container of the users. is this going to affect in anythig
like authentication, password reset, connectivity with domain, LDAP
requests. etc.....

i am afraid it would stop some domain services from be provided to
domain users if they dont have read access to the location of their
accounts..

Thanks and Regards,

"Rob Elder MVP-Networking" <relder@thisisnotright.com> wrote in message news:<#eJ55$jQEHA.3988@tk2msftngp13.phx.gbl>...
> Removing the Read permission on the AD object will prevent browsing. Buy
> why? One of the features of AD is to allow users to find users, printers,
> shared folders.
>
>
> "Ehab" <ehabmm@yalla.com> wrote in message
> news:a0c59050.0405250131.6c2ac5f8@posting.google.com...
> > Hi
> > Is there anyway to to prevent domain users from viewing and browsing
> > active directory icon located in My network places.
> >
> > by default all domain users can access it and see all the OUs and
> > users in active directory.
> >
> > please help me

Relevant Pages

  • Re: Send As permission removed by AD
    ... permission, and the permission gets removed by AD. ... User accounts are ... simply domain users so Send As right should stay. ... Best to start Active Directory replication troubleshooting ...
    (microsoft.public.exchange.setup)
  • Re: User Login
    ... The setting I'm referring to in item #1 is a Computer Configuration setting, so applying a GPO with this setting to an OU that only has User Accounts in it will have no affect whatsoever. ... The GPO must be applied to an OU that has Computer Accounts in it to be any use. ... If you want to, you can specify the user accounts in the GPO setting (Computer Configuration, Windows Settings, Security Settings, Local Policies, User Rights Assignment Deny log on locally), but I suspect it will be easier in the long run to specify a group name here and put the e-mail only user accounts into that group. ... the domain group called Domain Users is a member of the local Users group on all computers; this is usually why any domain user can logon at any domin member computer. ...
    (microsoft.public.windows.server.active_directory)
  • How To Change Active Directory Permissions
    ... is there any way to change Active Directory ... permissions (i.e. configure which domain users can *see* items listed ... When I pull up the Active Directory search box from the Network ...
    (microsoft.public.windows.server.active_directory)
  • Re: Printer permissions ??
    ... why "full access" they dont have Manage printers? ... User2 - Help Desk Users, Managers, Domain Users, Domain Admins ... LaserJetA - ...
    (microsoft.public.windows.server.active_directory)
  • active directory users and computers
    ... Domain users and computers on a Win2000 server from an XP ... >during your dcpromo instalation you may have to remove ... >active directory and wait a few hours and then do the ...
    (microsoft.public.windowsxp.security_admin)