View whole AD with adminpak.msi

[Guest]

How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?

I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?

It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.

 

[Joe Richards [MVP]]

You can't stop people from looking at AD unless you secure AD itself. This can
be fun because you can quickly break things. The thing is that adminpak is just
one of many many tools for looking at AD so trying to block those tools, it
pretty unhelpful if the people truly want to get in. GPOs are especally fun
because you can simply open the gpo text files in sysvol and look directly at
them if you want. They have to be readable to the user or else the user can't
apply them.

 

[Guest]

Sorry that I don't understand how to "secure AD" itself ...

 

[Joe Richards [MVP]]

This is the AD delegation whitepaper and appendix. Read them both in their
entirety to start.


http://www.microsoft.com/downloads/...a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://www.microsoft.com/downloads/...88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en