|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Remove Read-Only Access to AD-Authenticated UsersHas anyone set the Authenticated Users to 'deny access' for their entire
domain and had any issues. We do not want regular users installed the Windows 2003 Support tools on their Windows XP system..and looking at our Active Directory/Sites and Services/Domains and Trusts. I set a test user to 'deny access' and this blocks it (test lab, single Windows 2003 SP1 DC)..but I figured I would ask before doing this in the production domain. Any help is appreciated! Hi!
I would not use Deny in any combination with Authenticated Users group. Administrator account is also in this group, when autheticated. Toni Show quoteHide quote "Steve" <St***@discussions.microsoft.com> wrote in message news:6DFD6237-82B8-43CA-9E36-1A52D0117ADE@microsoft.com... > Has anyone set the Authenticated Users to 'deny access' for their entire > domain and had any issues. We do not want regular users installed the > Windows > 2003 Support tools on their Windows XP system..and looking at our Active > Directory/Sites and Services/Domains and Trusts. I set a test user to > 'deny > access' and this blocks it (test lab, single Windows 2003 SP1 DC)..but I > figured I would ask before doing this in the production domain. Any help > is > appreciated! Is there a way to prevent normal users from seeing the AD when the Windows
2003 Support tools are used? We want to keep our AD private and for admins only. Thanks. Steve Show quoteHide quote "T. Uranjek" wrote: > Hi! > > I would not use Deny in any combination with Authenticated Users group. > Administrator account is also in this group, when autheticated. > > Toni > > "Steve" <St***@discussions.microsoft.com> wrote in message > news:6DFD6237-82B8-43CA-9E36-1A52D0117ADE@microsoft.com... > > Has anyone set the Authenticated Users to 'deny access' for their entire > > domain and had any issues. We do not want regular users installed the > > Windows > > 2003 Support tools on their Windows XP system..and looking at our Active > > Directory/Sites and Services/Domains and Trusts. I set a test user to > > 'deny > > access' and this blocks it (test lab, single Windows 2003 SP1 DC)..but I > > figured I would ask before doing this in the production domain. Any help > > is > > appreciated! > > > You can achieve what you want to do but it is very difficult. 99.9% of
people are fine with an authenticated security principal having read-only access to the directory. A directory is, by definition, a more or less read only database. Re-evaluate your requirements. What's the problem with seeing the logical topology? However, if you really want to do this, you need to re-ACL your forest. Which is going to break all kinds of stuff. In k3 SP1 there's also confidential attributes, but taking someone else's words, that's just a bandage and won't achieve your ultimate goal as you can only use this on non-CAT-1 attributes. -- Paul Williams Microsoft MVP - Windows Server - Directory Services http://www.msresource.net | http://forums.msresource.net Hi!
I might be missing something here but why would users be allowed to install adminpak.msi or support.msi or anything at all? Toni Show quoteHide quote "Steve" <St***@discussions.microsoft.com> wrote in message news:73340CE1-4D77-4C09-B53A-8EC5E05B90AC@microsoft.com... > Is there a way to prevent normal users from seeing the AD when the Windows > 2003 Support tools are used? We want to keep our AD private and for admins > only. Thanks. Steve > > > > "T. Uranjek" wrote: > >> Hi! >> >> I would not use Deny in any combination with Authenticated Users group. >> Administrator account is also in this group, when autheticated. >> >> Toni >> >> "Steve" <St***@discussions.microsoft.com> wrote in message >> news:6DFD6237-82B8-43CA-9E36-1A52D0117ADE@microsoft.com... >> > Has anyone set the Authenticated Users to 'deny access' for their >> > entire >> > domain and had any issues. We do not want regular users installed the >> > Windows >> > 2003 Support tools on their Windows XP system..and looking at our >> > Active >> > Directory/Sites and Services/Domains and Trusts. I set a test user to >> > 'deny >> > access' and this blocks it (test lab, single Windows 2003 SP1 DC)..but >> > I >> > figured I would ask before doing this in the production domain. Any >> > help >> > is >> > appreciated! >> >> >> 
Other interesting topics
Need clarification of KB article 314649
NTP time syncronization Creating a Lab Environment Using Virtual Machine Is there an easy way to delete old computer name from ADUC? Automatic workstation object removal Internet Access group Active Directory Site And Services Problem between 2 DC Backup of Active Directory Integrated DNS zone Userenv 1030 / lsasrv 40961 errors Object Security |
|||||||||||||||||||||||
