Re: hiding contacts (ojbect) from directory search (LDAP)

Tech-Archive recommends: Fix windows errors by optimizing your registry

I also tested it as I explained....
however first I did not use Outlook Express I used ADFIND which is a cool
command line util from joeware.

the command line was
adfind -gc -b "" -f
"(&(|(objectCategory=person)(objectCategory=group))(cn=someone))" -dn

you can try that yourself and you will see that it works.

I also tested it with Outlook Express and THAT also worked

by the way: dont use multiple posts

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<tractng@xxxxxxxxx> wrote in message
news:1156925195.064618.273980@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Jorge,

I applied what you said and it doesn't work. As long as the user has a
domain account, he/she can query using Outlook Express and get the
information.

I created all the contacts and put them in an OU called Important Info.
Denied the group I created. (On read -Deny, and I checked "this object
and all child objects" on the Edit ). In fact, I denied everything
under a different test.

Btw, a group I want to deny is a larger group - about 80 percent. Have
you ever gotten this to work or is it just a concept that you think it
would work from lecture (hehe)?

I am lost at this point. This is on a windows 2003 server.


Thanks,
tnt




Jorge de Almeida Pinto [MVP - DS] wrote:
and because you already put the contacts in a separate OU assign DENY to
that group on the OU for "this object and all child objects"

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"Jorge de Almeida Pinto [MVP - DS]"
<SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx> wrote in message
news:...
basically, what you are saying is that a group of people are able to
query
AD for contacts and you dont want that.

so to prevent a group of people to view those contacts while allowing
others you would need to create a group, put those people in that group
and assign DENY to those contacts.


does this apply to a group of users or ALL users? and how large is that
group compared to the total number of users? is it possible that more
be
people would belong to that group that is not allowed to view those
contacts?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<tractng@xxxxxxxxx> wrote in message
news:1156877227.939450.192810@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Jorge,

I am guessing you talking about denying the people/group on group
policy and not under the GAL?

If under the group policy on the OU, should there be an attributes
that
you have to enable or just checking the "denying" on the group will do
the trick.


Thanks,
Tnt
Jorge de Almeida Pinto [MVP - DS] wrote:
you will need to modify the permissions of those objects so that that
group
of people cannot retrieve the contacts using a query

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
<tractng@xxxxxxxxx> wrote in message
news:1156606204.214966.26690@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hello,

Can somebody point me to the right directions. I want to hide the
contacts from certain people in the domain. When users search
directory servcice using Outlook expresss,(if a user has a domain
account opens up outlook express, he/she can view all the contacts
by
entering the dc=<domain>,dc=<ext> into Search base) they can still
see
the contacts.

I have put all the contacts onto one single OU. Is there a way to
do
this?


I am not talking about going into the exchange advanced tab and
check
hide from exchange address lists.

Thanks,
Tnt







.

Relevant Pages

  • Re: hiding contacts (ojbect) from directory search (LDAP)
    ... he/she can query using Outlook Express and get the ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ...
    (microsoft.public.windows.server.active_directory)
  • Re: Core servers
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... INF and RID roles for the child domain be isolated ...
    (microsoft.public.windows.server.active_directory)
  • Re: FMSO question
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... I plan on reinstalling DC1 as a domain controller, ...
    (microsoft.public.windows.server.active_directory)
  • Re: Help with Journal Wrap error
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Do the D2 and just wait until the schedule opens ...
    (microsoft.public.win2000.active_directory)
  • Re: Replication and Preferred Bridgehead
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... with that a DC/GC needs to replicate a NC that is not being ...
    (microsoft.public.windows.server.active_directory)