how to stop giving out account info?

  • Thread starter Thread starter djc
  • Start date Start date
D

djc

I was suprised to see that by just using My Network Places -> entire
network -> directory -> then right-clicking on the domain name and choosing
Find I could get so much account information! For instance even though I
renamed my admin account following good practices its easy to see what it is
any whay by searching on 'admin'.. you can see the account plus the
administrators group which you can double-click to see all the members of???
any user can see all the groups and their membership. As well as all OU's
and what objects are in them. I guess since I am used to using the run box
and command prompt so often I have neglected to go see what regular users
may see.

How can I stop this? Although its usefull to be able to search AD like this
if you trust everyone.... nuff said. Trust no one. How do I stop publishing
secure information?

On a funny note: if you are a dope like me and did not know this was a
feature AND you named your OU's with names like 'AuditTheseFools' and
'IDontTrustTheseGuys' in order to link GPO's to them then you will be hoping
your users don't know about this feature either. hehe!

any info would be greatly appreciated.
 
There is a user configuration Group Policy you can implement to hide the
directory folder. Go to user configuration/administrative
templates/desktop/Active Directory to enable such. Note that will not stop
users from searching AD by other means. You can also hide AD objects by
managing the read permissions in their security properties. However this can
be tricky. For instance users do need read permissions for the domain
container, the container their account resides in, and I believe the domain
controller container. If they do not have read permissions they will not be
able to change their password and Group Policy user configuration will not
apply to them. However if you have a container such as an Organizational
Unit that users are not in, nor need to access anything in it you can remove
their read permissions from that OU. For instance you could have an OU with
specific users having permissions to it and then remove authenticated
users/everyone group permissions. Be sure to have a recent backup of the
System State for a domain controller before messing with AD permissions just
in case though dsacls /s can be used to retore default permissions to AD
objects.. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
syntax.
 
Thanks Steve. By the way I'm curious. You answer a lot of my posts and are
obviously very knowledgable.
1) do you hold any certifications? if so which ones?
2) Are you paid to participate in these MS newsgroups? meaning, do you work
for Microsoft directly or indirectly to provide this kind of assistance to
the general IT public?

The reason I ask is NOT because I doubt any of the information you give but
really just becuase I'm curious about different things that knowledgeable IT
folk can get involved in and what kind of certification, if any, they
typically have or require. Just poking around and what things I may like to
become involved in in the future.

Thanks,
-djc
 
Hi Djc.

Yes I hold some certifications. I am a A+ computer technician, an MCSE in
Windows NT4.0 and Windows 2000, and a MCSA in Windows 2003.

I am not paid to participate in newsgroups. I do it for fun, for learning,
and the satisfaction helping others where I can. My only affiliation with
Microsoft is that I am an MVP in Windows Security. For more information on
Microsoft MVP program see the link below.



Certifications are a good way to show that you have a basic level of
knowledge for a product or technology. To pursue a MCSE you are forced to
learn and study many aspects of the operating system for wide based
knowledge of it IF you do it for the purpose of learning it because you have
want to learn it and be good at it and not to just have the
ertification. --- Steve
 
Back
Top