Dandando said:
Hi! Dear All
We try to prevent user to view our OU structure so
remove the "authenticated User" from OU security list. but
this action will casuse GPO processing fail on client pc
which locate this OU. do you have any sloution for that?
/Dan
In order to process GPOs the users must have "Read and Apply GPO" rights on
the GPO.
In addition they need to have "Read" access on the OU(s) where the GPO is
linked in order to read which GPOs they should get (in theory they should
only need read on the gPLink and gPOptions attributes, but never tested
that). And in order to read the properties of that OU they also need "List
Object" on the parent of that OU (if AD is configured for List Object access
mode).
There is no way to completely disable browsing the AD structure since they
need some access in order to read information about themselves. But you can
lock it down pretty much. We've also found that the users need "Read" on the
domain object, and read on the User and/or Builtin and Domain Controllers
objects in order to be able to change password, and for the %username%
environmentvariable and the WinNT provider in ADSI to work properly.
Arild
