How to prevent user to see default AD containers?

[Guest]

Is any way to prevent the support staff to access/see the AD default
containters, e.g. 'Builtin', 'Users'...?

I have delegate control to a group of support staff and allow them to
perform few basic function like; Unlock account, Reset Password, and join
Domain...

But I noticed they are able to see the contents of Default containers. For
example, they can read the members of Domain Admins group, which is located
in the "Users" container.

Of course, lots of other important Groups and Users objects in this "Users"
container by AD default too.

I like to prevent anyone except "Domain Admins" to access/see these Default
containers or selected OU if that is possible.

So far I have figure out a way to do that is to remove the default
"Authenticated Users" group from the Security of the OU. But I think that is
not a good way to do it.

Does anyone has the better solutions?

Thanks,

Vincent

 

[Guest]

Thanks for reply.

I knew it should be better not to change the default security setting on the
default container. It obviously the Active Directory some how needs to read
the Objects informatiion in the Users container with the "Authenticated
Users" Rights.

If I created another OU without the "Authenticated Users" Rights, and then
Move all Objects to this new OU from the default "Users" container, that will
be nothing/no objects left in the "Users" Containter. What is the difference
with removing the "Authenticated Users" group from the "Users" container? I
mean the Active Directory still not able to read the list of Users and Groups
objects in the new OU.

Do you think the Active Directory can still function properly?

Thanks,

Vincent