Re: hide organizational unit from view in active directory

The security of a security principal isn't supposed to be in its identifier, it comes from the authenticator (password/certificate/biometric/etc). Having a userid should do nothing to help you with the password and if your admins are using passwords so simple that they could be easily cracked, get new admins.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


vagrantbrad@xxxxxxxxx wrote:
On Feb 28, 9:21 pm, "Joe Richards [MVP]" <humorexpr...@xxxxxxxxxxx>
wrote:
First admin IDs shouldn't have mailboxes as Admins should be using
normal user accounts for email. Anything else is a huge security no no.

As for hiding the admin accounts, I have yet to have seen a good valid
reason for it.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Editionwww.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

vagrantb...@xxxxxxxxx wrote:
I want to hide an organizational unit from view so that our helpdesk
person cannot see the objects and properties inside this OU. It would
be detrimental to security if he could see the users and their
associated properties in the OU because it contains all our
administrators. I've read posts similar to this issue/concern, and
people have recommended removing the read properties on the OU from
the "authenticated users" group. When I try this, however, it hides
all the users in this OU from the Global Address Book in exchange.
How can I hide an OU in Active Directory Users and Computers but have
the OU members still show in the Global Address Book?

I understand the security implications of having mailboxes for
administrators. What I don't understand is the comment by Joe
Richards saying there's no valid reason to hide admin accounts in
Active Directory. Why is it not a big issue to allow anyone in the
organization (any authenticated user) with access to Active Directory
Users and Computers to see all the administrator accounts in the
domain with their associated group memberships? Seems to me that
you're just broadcasting to everyone what accounts offer the "keys to
the castle". From a hacking perspective, that seems very insecure.
Can someone enlighten me?

.

Relevant Pages

  • RE: [fw-wiz] Architecture Q - Public access domain integrated pc s
    ... security within Active Directory, utilizing Group Policy objects. ... the Group Policy editor, there are configurations for user accounts policy, ... there are some good starting points for GPO security at the ...
    (Firewall-Wizards)
  • Re: external server authentication and licensing
    ... It is a booking system so security is an issue. ... Its just really convenient if you already have all these accounts and ... have any trouble with active directory, ...
    (comp.databases.filemaker)
  • How to monitor "domain controllers" without domain admin rights
    ... I manage a fairly large active directory ... environment and I'm trying to lock things down to prevent security breaches, ... I stripped the security of the service accounts we ... My problem is now specifically with DCs. ...
    (microsoft.public.security)
  • Re: hide organizational unit from view in active directory
    ... Anything else is a huge security no no. ... As for hiding the admin accounts, I have yet to have seen a good valid ... Author of O'Reilly Active Directory Third Editionwww.joeware.net ...
    (microsoft.public.windows.server.active_directory)
  • Re: Grant Administrative Access to a Domain Controller
    ... Anyone with a good understanding of AD and Windows security will easily see ways of compromising the environment. ... Do not give enhanced rights to Domain Controllers to anyone you don't trust with Domain and/or Enterprise Admins. ... Just know that minimal access can be parlayed into even more access and try as you might, you cannot secure Active Directory from people with server operator or admin or several other levels of access rights on a DC. ...
    (microsoft.public.windows.server.active_directory)