Re: how to restrict users to search in their own Organizational Unit

---

• From: "Herb Martin" <news@xxxxxxxxxxxxxx>
• Date: Tue, 12 Dec 2006 10:31:10 -0600

---

But, we have +/- 40 OU's with approximately 12000 users, how can I
handle this problem best?
If I need to create a security group per OU and then add all users
seperately then I will have alot of work...

Although I think the whole thing is a poor idea the
most likely approach to make this practical is to
write a SCRIPT.

[Admins need to be at least minimally competent at scripts
writing so that at least they will know the basics and can get
a true programmer to write the hard ones.]

You could also TRY removing the "Authenticated Users"
(technically it isn't Everyone with these permissions) at the
Domain level (and propagating) since using a lot of DENY
permissions is in and of itself a poor practice.

Even then, I suspect something will/might go wrong so
try this in a test domain, OR see if some AD expert will
comment who has actually DONE such things. (Windows
has a bad habit of going south when such sweeping
changes are made even though in principle they are
perfectly logical.)

General script logic:

Loop through each (top level) OU
1) removing Auth. Users from permissions*
2) create group of with OU users as members**
3) add this group to permissions for this OU

* Watch out for the effect on COMPUTER accounts etc.
(Unless this is a test domain, I would likely REPLACE
the Authenticated User permissions with an empty, 'place
holder' group so that putting this stuff back would be
practical.)

** Must be maintained over time by 1) creating a template
group and always created users through copying this
with OU-group membership OR by scripting creation
of users with this membership as there is no built-in
mechanism for granting/denying permissions based on
"OU" and these groups are a (semi-)manual thing.

You might have to periodically re-run this script to
rebuild the groups to prevent discrepancies from
growing over time (e.g., as users are moved from one
group to another.)

--
Herb Martin, MCSE, MVP
Accelerated MCSE
http://www.LearnQuick.Com
[phone number on web site]

<lao.nightwolf@xxxxxxxxx> wrote in message
news:1165933306.200588.167530@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

Jorge Silva schreef:

Hi
By default evryone has read-access to AD.
To deny that right you must create a security group and deny read
permission, then add the users to that security group.

--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

Thanks that helps already!

.

---

• Follow-Ups:
  • Re: how to restrict users to search in their own Organizational Unit
    • From: MPerrault

• References:
  • how to restrict users to search in their own Organizational Unit
    • From: lao . nightwolf
  • Re: how to restrict users to search in their own Organizational Unit
    • From: Jorge Silva
  • Re: how to restrict users to search in their own Organizational Unit
    • From: lao . nightwolf

• Prev by Date: Re: Auditing
• Next by Date: RE: Folder re-direction and "Offline files".
• Previous by thread: Re: how to restrict users to search in their own Organizational Unit
• Next by thread: Re: how to restrict users to search in their own Organizational Unit
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: how to restrict users to search in their own Organizational Unit ... will be given the necessary permissions. ... Who would you DENY? ... decided a script can make it possible to accomplish, ... If I need to create a security group per OU and then add all users ... (microsoft.public.windows.server.active_directory) Re: Cant assign calendar permissions to a group ... to be able to use a security group so that I can manage membership of ... By testing I have verified that a resource calendar's permissions can ... integral concept within Active Directory. ... Only individual users can be granted membership. ... (microsoft.public.exchange.admin) Re: how to restrict users to search in their own Organizational Unit ... I also want to say that in fact you shouldn't deny the read permission to anyone and this scenario the MOSS Administrators or who is responsible for Add users to Your Sites should be carefull when performing this action. ... Now, because you're dealing with many users, my recommendation is to create THE NECESARY Security Groups in each OU and related them with your MOSS2007 existing security groups, in future when someone creates some user, you just have to add that user to the necessary group and that user will be given the necessary permissions. ... decided a script can make it possible to accomplish, ... > If I need to create a security group per OU and then add all users ... (microsoft.public.windows.server.active_directory) Re: Corrupted user account? ... It sounds like a big mess (most probably becausesome default permissions ... > been having some weird issues using Outlook 2000 sp3. ... > 3) USERA is owner of a security group called Sales Department. ... > She was able to change membership a few weeks ago. ... (microsoft.public.win2000.active_directory) Re: how to restrict users to search in their own Organizational Unit ... If I need to create a security group per OU and then add all users ... Domain level since using a lot of DENY ... permissions is in and of itself a poor practice. ... General script logic: ... (microsoft.public.windows.server.active_directory)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(12)