Re: hide organizational unit from view in active directory

On Feb 28, 9:21 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
First admin IDs shouldn't have mailboxes as Admins should be using
normal user accounts for email. Anything else is a huge security no no.

As for hiding the admin accounts, I have yet to have seen a good valid
reason for it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

vagrantb...@xxxxxxxxx wrote:
I want to hide an organizational unit from view so that our helpdesk
person cannot see the objects and properties inside this OU. It would
be detrimental to security if he could see the users and their
associated properties in the OU because it contains all our
administrators. I've read posts similar to this issue/concern, and
people have recommended removing the read properties on the OU from
the "authenticated users" group. When I try this, however, it hides
all the users in this OU from the Global Address Book in exchange.

How can I hide an OU in Active Directory Users and Computers but have
the OU members still show in the Global Address Book?

I understand the security implications of having mailboxes for
administrators. What I don't understand is the comment by Joe
Richards saying there's no valid reason to hide admin accounts in
Active Directory. Why is it not a big issue to allow anyone in the
organization (any authenticated user) with access to Active Directory
Users and Computers to see all the administrator accounts in the
domain with their associated group memberships? Seems to me that
you're just broadcasting to everyone what accounts offer the "keys to
the castle". From a hacking perspective, that seems very insecure.
Can someone enlighten me?

.

Relevant Pages

  • Re: hide organizational unit from view in active directory
    ... The security of a security principal isn't supposed to be in its identifier, it comes from the authenticator (password/certificate/biometric/etc). ... As for hiding the admin accounts, I have yet to have seen a good valid ... Author of O'Reilly Active Directory Third Editionwww.joeware.net ...
    (microsoft.public.windows.server.active_directory)
  • RE: [fw-wiz] Architecture Q - Public access domain integrated pc s
    ... security within Active Directory, utilizing Group Policy objects. ... the Group Policy editor, there are configurations for user accounts policy, ... there are some good starting points for GPO security at the ...
    (Firewall-Wizards)
  • Re: external server authentication and licensing
    ... It is a booking system so security is an issue. ... Its just really convenient if you already have all these accounts and ... have any trouble with active directory, ...
    (comp.databases.filemaker)
  • Re: Integrated security - why not?
    ... Let me explain why we seldom use Integrated Security for Internet asp.net ... how could we setup accounts for them? ... !server to the public network with services such as SQL Server (remember SQL ... The DC at the ISP is not for our own use. ...
    (microsoft.public.dotnet.framework.aspnet.security)
  • Re: absolutepoker news
    ... The chances of uncovering any further cheating at any other site are probably slim to none. ... However, knowing poker players as I do, my guess is most Absolute customers will stay right where they are. ... The statement acknowledges the security breach within Absolute's system that allowed information about opponents' hole cards to be transmitted to several suspect accounts, and confirmed that the hand log released accidentally to Marco 'CrazyMarco' Johnson, the runner-up in the suspect tournament, did in fact highlight the security flaw that allowed the site to be compromised. ...
    (rec.gambling.poker)