Using Access Denied: Restricting Users' Read Access to AD Objects
February 13, 2008
I'm concerned that a regular domain user might install adminpak.msi on his or her workstation, then run the Microsoft Management Console (MMC) Active Directory Users and Groups snap-in and have casual viewing access to the domain's contents. How can I prevent this?
Well, you can prevent users from installing software by using Group Policy to disable the Control Panel Add or Remove Programs applet and a few other options. However, software installation isn't the issue here; Active Directory (AD) default permissions are. By default, typical domain users have Read access to almost everything in AD domains—including users, groups, organizational units (OUs), and Group Policy Objects (GPOs)—and they can view that information without any of the administrative tools in Adminpak. All they need to do is write a script that uses Active Directory Service Interfaces (ADSI) or run a command-line utility such as Ldifde. The only way to restrict users is to restrict Read permissions on objects that you don't want users to be able to read. However, be judicious when restricting Read access to AD objects, or you might run into problems. For instance, if users don't have Read access to other user objects, they might not be able to use Microsoft Exchange Server to find mail recipients. And if you deny users Read access to GPOs, settings that you configure under User Configuration in those GPOs won't be applied.
—Randy Franklin Smith
About the Author
You May Also Like