"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> APD189 wrote:
> > I need to limit the access to the Active Directory Users and Computers MMC. 
> > How would I do that.  The user is not in there, but Authenicated Users can
> > read.  Do I need to remove Authenicated Users from read ability?
>
> It's not only active directory users and computers people could use to
> get basic information from your AD - you'd also have to disable ldp.exe
> or adsiedit.msc or any other ldap browser.
>
> Authenticated users basically have "read" permission to the directory.
> Not sure if you break certain functionality if you take away those
> "read" permissions. I'd try that in a test lab first.
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>

"Florian Frommherz [MVP]" wrote:

> Howdie!
>
> APD189 wrote:
> > What I need to do is restrict users from using the Admin Pack and using
> > Active Directory Users and Computers.  When I disabled a single user, he was
> > not able to remote to a server he had access to in the past. I think when I
> > denied "read" permissions, he was not able to log in because when I removed
> > his name, he was able to log back in.
>
> How do they access those tools? Are they installed locally on the users'
> machines or do they use an rdp (termanial services) connection to the DC
> and make their changes there? From your description it sounds like that.
>
> Disabling the user in ADUC is not a way to go as that "disable"
> mechanism blocks his user account he needs to authenticate to the whole
> network. How do they access the AdminPak? Can't you just tweak NTFS
> permissions on the .msc files?
>
> cheers,
>
> Florian
> --
> Microsoft MVP - Group Policy
> eMail: prename [at] frickelsoft [dot] net.
> blog: http://www.frickelsoft.net/blog.
> Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
>

"APD189" wrote:

> They downloaded the Admin Pack onto their own computer and installed the
> admin pack on their local machine.  I need to block what they see in it.
>
> Thanks!!
>
> "Florian Frommherz [MVP]" wrote:
>
> > Howdie!
> >
> > APD189 wrote:
> > > What I need to do is restrict users from using the Admin Pack and using
> > > Active Directory Users and Computers.  When I disabled a single user, he was
> > > not able to remote to a server he had access to in the past. I think when I
> > > denied "read" permissions, he was not able to log in because when I removed
> > > his name, he was able to log back in.
> >
> > How do they access those tools? Are they installed locally on the users'
> > machines or do they use an rdp (termanial services) connection to the DC
> > and make their changes there? From your description it sounds like that.
> >
> > Disabling the user in ADUC is not a way to go as that "disable"
> > mechanism blocks his user account he needs to authenticate to the whole
> > network. How do they access the AdminPak? Can't you just tweak NTFS
> > permissions on the .msc files?
> >
> > cheers,
> >
> > Florian
> > --
> > Microsoft MVP - Group Policy
> > eMail: prename [at] frickelsoft [dot] net.
> > blog: http://www.frickelsoft.net/blog.
> > Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
> >

"APD189" <APD***@discussions.microsoft.com> wrote in message
news:E8B0ACAC-F450-4400-8FD0-97297573938C@microsoft.com...
> Does anyone know how to limit the users access who have downloaded the
> Admin
> Pack.  We would like only to allow certian users and other users not to
> have
> access.
>
> "APD189" wrote:
>
>> They downloaded the Admin Pack onto their own computer and installed the
>> admin pack on their local machine.  I need to block what they see in it.
>>
>> Thanks!!
>>
>> "Florian Frommherz [MVP]" wrote:
>>
>> > Howdie!
>> >
>> > APD189 wrote:
>> > > What I need to do is restrict users from using the Admin Pack and
>> > > using
>> > > Active Directory Users and Computers.  When I disabled a single user,
>> > > he was
>> > > not able to remote to a server he had access to in the past. I think
>> > > when I
>> > > denied "read" permissions, he was not able to log in because when I
>> > > removed
>> > > his name, he was able to log back in.
>> >
>> > How do they access those tools? Are they installed locally on the
>> > users'
>> > machines or do they use an rdp (termanial services) connection to the
>> > DC
>> > and make their changes there? From your description it sounds like
>> > that.
>> >
>> > Disabling the user in ADUC is not a way to go as that "disable"
>> > mechanism blocks his user account he needs to authenticate to the whole
>> > network. How do they access the AdminPak? Can't you just tweak NTFS
>> > permissions on the .msc files?
>> >
>> > cheers,
>> >
>> > Florian
>> > --
>> > Microsoft MVP - Group Policy
>> > eMail: prename [at] frickelsoft [dot] net.
>> > blog: http://www.frickelsoft.net/blog.
>> > Maillist (german):
>> > http://frickelsoft.net/cms/index.php?page=mailingliste
>> >

"APD189" <APD***@discussions.microsoft.com> wrote in message
news:E8B0ACAC-F450-4400-8FD0-97297573938C@microsoft.com...
> Does anyone know how to limit the users access who have downloaded the
> Admin
> Pack.  We would like only to allow certian users and other users not to
> have
> access.
>
> "APD189" wrote:
>
>> They downloaded the Admin Pack onto their own computer and installed the
>> admin pack on their local machine.  I need to block what they see in it.
>>
>> Thanks!!
>>
>> "Florian Frommherz [MVP]" wrote:
>>
>> > Howdie!
>> >
>> > APD189 wrote:
>> > > What I need to do is restrict users from using the Admin Pack and
>> > > using
>> > > Active Directory Users and Computers.  When I disabled a single user,
>> > > he was
>> > > not able to remote to a server he had access to in the past. I think
>> > > when I
>> > > denied "read" permissions, he was not able to log in because when I
>> > > removed
>> > > his name, he was able to log back in.
>> >
>> > How do they access those tools? Are they installed locally on the
>> > users'
>> > machines or do they use an rdp (termanial services) connection to the
>> > DC
>> > and make their changes there? From your description it sounds like
>> > that.
>> >
>> > Disabling the user in ADUC is not a way to go as that "disable"
>> > mechanism blocks his user account he needs to authenticate to the whole
>> > network. How do they access the AdminPak? Can't you just tweak NTFS
>> > permissions on the .msc files?
>> >
>> > cheers,
>> >
>> > Florian
>> > --
>> > Microsoft MVP - Group Policy
>> > eMail: prename [at] frickelsoft [dot] net.
>> > blog: http://www.frickelsoft.net/blog.
>> > Maillist (german):
>> > http://frickelsoft.net/cms/index.php?page=mailingliste
>> >

"Paul Bergson" wrote:

> Users need read access to multiple locations within AD.  But they only have
> read access so it shouldn't be an issue.
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
> "APD189" <APD***@discussions.microsoft.com> wrote in message
> news:E8B0ACAC-F450-4400-8FD0-97297573938C@microsoft.com...
> > Does anyone know how to limit the users access who have downloaded the
> > Admin
> > Pack.  We would like only to allow certian users and other users not to
> > have
> > access.
> >
> > "APD189" wrote:
> >
> >> They downloaded the Admin Pack onto their own computer and installed the
> >> admin pack on their local machine.  I need to block what they see in it.
> >>
> >> Thanks!!
> >>
> >> "Florian Frommherz [MVP]" wrote:
> >>
> >> > Howdie!
> >> >
> >> > APD189 wrote:
> >> > > What I need to do is restrict users from using the Admin Pack and
> >> > > using
> >> > > Active Directory Users and Computers.  When I disabled a single user,
> >> > > he was
> >> > > not able to remote to a server he had access to in the past. I think
> >> > > when I
> >> > > denied "read" permissions, he was not able to log in because when I
> >> > > removed
> >> > > his name, he was able to log back in.
> >> >
> >> > How do they access those tools? Are they installed locally on the
> >> > users'
> >> > machines or do they use an rdp (termanial services) connection to the
> >> > DC
> >> > and make their changes there? From your description it sounds like
> >> > that.
> >> >
> >> > Disabling the user in ADUC is not a way to go as that "disable"
> >> > mechanism blocks his user account he needs to authenticate to the whole
> >> > network. How do they access the AdminPak? Can't you just tweak NTFS
> >> > permissions on the .msc files?
> >> >
> >> > cheers,
> >> >
> >> > Florian
> >> > --
> >> > Microsoft MVP - Group Policy
> >> > eMail: prename [at] frickelsoft [dot] net.
> >> > blog: http://www.frickelsoft.net/blog.
> >> > Maillist (german):
> >> > http://frickelsoft.net/cms/index.php?page=mailingliste
> >> >
>

"APD189" <APD***@discussions.microsoft.com> wrote in message
news:44237B1C-1B61-44ED-B9D5-EFE083AB4EED@microsoft.com...
> I need to block their read access.  I have an issue with users installing
> the
> adminpak and looking at it.
>
> "Paul Bergson" wrote:
>
>> Users need read access to multiple locations within AD.  But they only
>> have
>> read access so it shouldn't be an issue.
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup This
>> posting is provided "AS IS" with no warranties, and confers no rights.
>> "APD189" <APD***@discussions.microsoft.com> wrote in message
>> news:E8B0ACAC-F450-4400-8FD0-97297573938C@microsoft.com...
>> > Does anyone know how to limit the users access who have downloaded the
>> > Admin
>> > Pack.  We would like only to allow certian users and other users not to
>> > have
>> > access.
>> >
>> > "APD189" wrote:
>> >
>> >> They downloaded the Admin Pack onto their own computer and installed
>> >> the
>> >> admin pack on their local machine.  I need to block what they see in
>> >> it.
>> >>
>> >> Thanks!!
>> >>
>> >> "Florian Frommherz [MVP]" wrote:
>> >>
>> >> > Howdie!
>> >> >
>> >> > APD189 wrote:
>> >> > > What I need to do is restrict users from using the Admin Pack and
>> >> > > using
>> >> > > Active Directory Users and Computers.  When I disabled a single
>> >> > > user,
>> >> > > he was
>> >> > > not able to remote to a server he had access to in the past. I
>> >> > > think
>> >> > > when I
>> >> > > denied "read" permissions, he was not able to log in because when
>> >> > > I
>> >> > > removed
>> >> > > his name, he was able to log back in.
>> >> >
>> >> > How do they access those tools? Are they installed locally on the
>> >> > users'
>> >> > machines or do they use an rdp (termanial services) connection to
>> >> > the
>> >> > DC
>> >> > and make their changes there? From your description it sounds like
>> >> > that.
>> >> >
>> >> > Disabling the user in ADUC is not a way to go as that "disable"
>> >> > mechanism blocks his user account he needs to authenticate to the
>> >> > whole
>> >> > network. How do they access the AdminPak? Can't you just tweak NTFS
>> >> > permissions on the .msc files?
>> >> >
>> >> > cheers,
>> >> >
>> >> > Florian
>> >> > --
>> >> > Microsoft MVP - Group Policy
>> >> > eMail: prename [at] frickelsoft [dot] net.
>> >> > blog: http://www.frickelsoft.net/blog.
>> >> > Maillist (german):
>> >> > http://frickelsoft.net/cms/index.php?page=mailingliste
>> >> >
>>