Re: hiding contacts from directory search (LDAP)

Tech-Archive recommends: Fix windows errors by optimizing your registry

Jorge,

I tried it and it works.

Joe,

You recommended to remove the default groups and add the group that I
like to give access to doesn't work. The concept only works for
sharing a file using share permission/ntfs security. If you deny
authenticated users you will be locked out of the OU. Passive denying
will be more a hassle in this situation. Users still are able to query
ldap if you don't explicitly deny access to it.

Thanks anyways!!!
~tnt
tractng@xxxxxxxxx wrote:
Thanks Joe & Jorge.

I will give it a try the coming week (was busy at work).

I tried removing the authenticated users the last time and was locked
out of the OU. Can't even see the contacts too (how scary). So
basically I lost all of the contacts, but it was just my test lan.

Thanks again,
Tony


Joe Richards [MVP] wrote:
What you want to do is remove the default, then add a group for who
should be able to see the objects. Then you are passively denying
access. Active deny is a pain in the ass and should be used sparingly if
at all.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jorge de Almeida Pinto [MVP - DS] wrote:
policy?

if you leave the default (auth users) and add a DENIED group

everyone has access except the group

if you change the default (auth users) to DENY and add a ALLOWED group

nobody has access


be carefull with removing authenticated users or changing the permissions
for it. make sure you test things!
remember that authenticated users is EVERYONE that has been authenticated
(users AND computers) (for computers think exchange servers)

.

Relevant Pages

  • Re: hiding contacts from directory search (LDAP)
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... if you change the default (auth users) to DENY and add a ALLOWED group ... be carefull with removing authenticated users or changing the permissions for it. ... remember that authenticated users is EVERYONE that has been authenticated (users AND computers) ...
    (microsoft.public.windows.server.active_directory)
  • Re: Applying GPO only to certain computers within an OU...........
    ... Don't forget that deny permissions take precedence over allows. ... I think if you remove the authenticated users grou0p from the acl, ... add in the security group "Yes Software" or whatever (the computers that are ... supposed to get the policy) and give them Read & Apply GPO permissions. ...
    (microsoft.public.win2000.group_policy)
  • RE: Granting permissions using Authenticated User Group
    ... how would you deny users to say a Sharepoint site. ... Whenever you join a member to this group, It wot be able to view the site ... subset of authenticated users that you did not want to see the site, ...
    (microsoft.public.windows.server.active_directory)
  • Re: GPO was working, but not anymore...
    ... So if you have a user who is in one of those Administrator groups as well ... > I do have deny set for all of the administrator groups. ... Authenticated Users and Domain Users are set to read and apply group policy. ...
    (microsoft.public.win2000.group_policy)
  • Re: hiding contacts from directory search (LDAP)
    ... Joe Richards Microsoft MVP Windows Server Directory Services ... ldap if you don't explicitly deny access to it. ... I tried removing the authenticated users the last time and was locked ...
    (microsoft.public.windows.server.active_directory)