Re: hiding contacts from directory search (LDAP)

policy?

if you leave the default (auth users) and add a DENIED group

everyone has access except the group

if you change the default (auth users) to DENY and add a ALLOWED group

nobody has access


be carefull with removing authenticated users or changing the permissions
for it. make sure you test things!
remember that authenticated users is EVERYONE that has been authenticated
(users AND computers) (for computers think exchange servers)
--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"tnt" <tnt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ECCB1DDC-4A0D-4EBB-BD61-664C175E9343@xxxxxxxxxxxxxxxx
Jorge,

Thanks a lot. I did a test and it works. Somehow I was creating a new
policy and denying that right on the policy (one of those days).
-
Anyyways, the majority that I want to deny makes up about 80-90%. If I
deny
"authenticated users" then it will conflict with the group I want to
allow.
I guess I can try to be created.

Also, does this affect my current setup as far as GAL and stuff besides
the
group and OU that I am denying access too?. Just making sure.

TNT

"Jorge de Almeida Pinto [MVP - DS]" wrote:

if you have an OU with contacts and you want to DENY read to some group
called SOME_GROUP assign the DENY read permissions on the OU for "this
object and all child objects"

that should work after you also make the users you do not want to view
the
contacts a member of SOME_GROUP. after that logoff and logon so that the
group will be in the access token of the user

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"tnt" <tnt@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:39B863C1-3A97-4FF9-9051-A3C4AFE49AB8@xxxxxxxxxxxxxxxx
Hello,

Can somebody point me to the right directions. I want to hide the
contacts from certain people in the domain. When users search
directory service using Outlook expresss,(if a user has a domain
account opens up outlook express, he/she can view all the contacts by
entering the dc=<domain>,dc=<ext> into Search base) they can still see
the contacts.


I have put all the contacts onto one single OU and added the group that
I
don't want to query with deny on read (also click this object and all
child
objects on the advance/edit).

Doesn't seem to work.


FYI-I am not talking about going into the exchange advanced tab and
check
hide from exchange address lists. Trying to block the query search in
programs such as Outlook Express.


Thanks in advance,
Tnt








.

Relevant Pages

  • Re: hiding contacts (ojbect) from directory search (LDAP)
    ... that group on the OU for "this object and all child objects" ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... and assign DENY to those contacts. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Unable to create Complex Passwords
    ... # Jorge de Almeida Pinto # MVP Windows Server - Directory Services ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... I am trying to set Complex passwords for a customer, ... I have created a new policy with the complex ...
    (microsoft.public.win2000.security)
  • Re: Active Directory Expiration Notification
    ... a map of all attributes that can be set via the policy files agaiinst the ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... message to the user that their password is about to expire. ... Password expiration is determined by the domain password expiration ...
    (microsoft.public.windows.server.active_directory)
  • Re: 3rd party AD password policy tool
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... If I block inheritance would I only block the user OU's I created? ... or make any unwanted changes to the domain or computer accounts. ... The reason for this is we want to enforce the same policy company wide but ...
    (microsoft.public.win2000.active_directory)
  • Re: New Mailbox Policy - [WildPacket]
    ... Read my blog! ... You define the Administrator on the properties of the server, Mailbox ... distribution/security group) to filter the Recipient Policy. ... Store if you wish... ...
    (microsoft.public.exchange.admin)