Re: Delegate Control?

Use dsacls and dump the ACLs of various objects in your domain, it is all documented there what can be read by who. By default, AD is very open in who can read what to make it so the maximum number of apps can run with minimal issues. If you want a very locked down LDAP directory, take a peek at ADAM which is locked down by default and you have to open it up. AD would have been like that too had it come out after the security lockdown occurred. Unfortunately it didn't and to do a wholesale change now can really dork up applications.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Dan wrote:
Hi,
Do "normal" users have access to query AD OU's? I created a user today named 'svc-service' and gave it read access only to a single OU via the delegation of control wizard. To my surprise it turns out that the account is also able to query all of the other OU's in my domain (not just nested OU's but even one's at the same level as where I gave it access). Am I missing something here? Why would an account that has no other rights be able to query these other OU's? For example, at the top of my domain structure (dc=company,dc=com) sits an OU named 'America' (ou=america,dc=company,dc=com) and another one named 'Africa' (ou=africa,dc=company,dc=com). Why if I did a delegate of control and gave read access to a low level account (domain user only) to the Africa OU would it also be able to read from America? Is that just built in through Authenticated Users or something?
Thanks,
D
.

Relevant Pages

  • RE: Display queried records with Null values (null recordcount)
    ... tables related to Assets and Transactions tables in the query, ... since AssetID from tblAssets is a foreign ... The query would return multiple rows per account, ...
    (microsoft.public.access.gettingstarted)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... listed in the query above, however I got the above error. ... It does NOT work the same way as users in a usergroup. ... problem upon removing the computer account from the AD group and invoking ... *could* attempt to leverage the Top Console User, and target "computers ...
    (microsoft.public.sms.admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... a subset query can only have one column. ... It does NOT work the same way as users in a usergroup. ... computer account collections to download first, ... > *could* attempt to leverage the Top Console User, and target ...
    (microsoft.public.sms.admin)
  • Re: Distribute to user account objects in specific AD group in SCC
    ... For your second query, perhaps try using the subselect 'not in' ... This gave me a list of all the computers in the AD group. ... It does NOT work the same way as users in a usergroup. ... problem upon removing the computer account from the AD group and invoking ...
    (microsoft.public.sms.admin)
  • Re: How to populate a list box based on user input?
    ... associated with that account pop up in a list box. ... click "View" and a query come up showing all those orders on separate ... I get stuck on what the SQL should look like in the Control Source ... Private Sub txtAccountNo_AfterUpdate ...
    (microsoft.public.access.modulesdaovba)