RE: AD users and computers security

From: Kimberly Pace (KimberlyPace_at_discussions.microsoft.com)
Date: 10/14/04 

Date: Thu, 14 Oct 2004 14:37:02 -0700

Hope this clarifies my question. I tried to paste in a screenshot, but can't.

Scenario: I have created several OUs in Active Directory Users and
Computers. I want to delegate control of some of the OUs to supervisors of
the department the OU respresents. I don't want that person to be able to
read user information from other OUs.

In my test lab, I delegated administration to a test user. Then on a
workstation I installed the adminpak to provide access to AD users and
computers and logged on as that test user to test admin capabilities. I
noted that even though they were not granted access to other OUs, they could
open them and see all the users. They could also read all user properties.

Then I logged on as another user (not an admin). Launched AD users and
computers, and noted that this user, who had not been granted any access,
could open all the OUs and read all user properties. (In our organization,
workstations are shared by several users.)

At this point, I reviewed the Security tab on the OUs and noted that
Authenticated Users was included on all OUs with read permissions -- that's
why any logged-on user, whether I delegated rights or not, could see
information that I don't want them to see such has home address, telephone
numbers, employee numbers, etc.

If I remove Authenticated Users from the OU, then that OU does not show up
in Active Directory Users and Computers when a user logs on who doesn't have
Read permissions on the OU. They can still launch AD Users and Computers,
but they can't see the OUs and the users they contain.

For security reasons, I do not want any user that happens to log on to a
computer where AD Users and Computers is installed to launch the tool and be
able to read user information. It looks like I can eliminate this risk by
removing Authenticated Users from the ACL on the OU, but I am concerned that
it my affect other processes I am not aware of.

Again, I ask, is it safe to remove Authenticated from all OUs?

Kimberly

"Rebecca Chen [MSFT]" wrote:

> Hi Kimberly,
>
> I am a little unclear about this issue. Could you provide more details,
> such as a screen shot or the steps to reproduce this issue?
>
> You may check the following KB to see if it helps;
> Authenticated Users Group Has Too Many Permissions to the SYSVOL Network
> Share
> http://support.microsoft.com/default.aspx?scid=kb;en-us;812538
>
> In addition, Windows Server 2003 family provides three groups whose
> membership is controlled by the administrator: Users, Power Users, and
> Administrators. The group whose membership is controlled by the operating
> system or domain is Authenticated Users. It is the same as the Everyone
> group, except that it does not contain anonymous users or guests.
>
> If you remove permissions for the Authenticated Users group on the drive
> where Windows is installed, many Windows services do not start.
> Many Services Do Not Start After You Upgrade to Windows Server 2003
> http://support.microsoft.com/default.aspx?scid=kb;en-us;827480
>
> Further questions, let us get in touch!
>
> Best regards,
>
> Rebecca Chen
>
> MCSE2000 MCDBA CCNA
>
>
> Microsoft Online Partner Support
> Get Secure! - www.microsoft.com/security
>
> =====================================================
>
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
>
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>

Relevant Pages

  • Re: ADM not pushed to OU
    ... The configured CLASS is machine, so you to use the computers instead of domain ... Or to make live easy choose authenticated users, ... I have changed the security filter to: Authenticated Users. ...
    (microsoft.public.windows.group_policy)
  • Software Deployment to Machines
    ... I went back and granted the group Domain Computers ... Inside of GPMC in the modeling tree when I run the ... results that the GP is denied due to security filtering. ... >>authenticated users nothing was denied. ...
    (microsoft.public.windows.group_policy)
  • Re: Is it possible to restrict users from reading the contents a GP?
    ... If you changed out Authenticated Users for say ... Domain Computers, then any joined machine in scope would process ... within the Computer settings, therefore you can completely remove the ... computers that you want the policy to apply to. ...
    (microsoft.public.windows.group_policy)
  • Re: Setting Audit Permissions Differently for Each User
    ... Jesper is quite correct in his response. ... defining a group with all accounts except System however, ... Authenticated Users removed from Users (I routinely remove ... Controllers, Computers from Trusted domains, etc. ...
    (microsoft.public.windows.server.security)
  • Re: GPO for user not applied
    ... Authenticated users lacked read permissions on the OU where the user object is. ... This may be caused the Authenticated Users group having no permissions on ... computers, make sure that Authenticated Users group has read permission. ...
    (microsoft.public.win2000.group_policy)
Loading