Stealthed user

[brian]

I have heard a rumor that it is possible to create a stealth user account
where only the stealth user is aware of the account, the domain admin and
above cannot see the stealthed acount in the AD

is this true or false?

 

[Herb Martin]

Since an Admin would need to do this, what would be the point?

If you are concerned that a "trojan" or "hacker" might do this, first
recognize it would take an elevation of privileges to accomplish and
then the account would only be relatively hidden.

You can probably accomplish it (I haven't tried this but it's the way
the system works) by using PERMISSIONS on the Active Directory
objects -- of course auditing would catch the creation or management
of objects.

Just deny read on the account object and it's parent OU (the OU will
still be visible from above so this isn't really stealth.)