Click here to get back home

Prevent viewieng of list of users in another OU
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Prevent viewieng of list of users in another OU chloe 11-03-2006
Posted by chloe on November 3, 2006, 9:46 am
Please log in for more thread options
 We have a hosted enviornment in which we are planning to implement a
single Forest/Domain model with an OU for each client (UsersOU1 for
Client 1 and UsersOU2 for Client 2. However, the Client 1 does not want
the users of Client 2 being able to view their users in UsersOU1 (i.e.
they want the perception that they are the only client being serviced
by us.

I believe we can do this by removing 'List Content' rights from the
UsersOU1 for Authenticated Users, but then individually allow they
'List Objects' permissions for users within their own OU. Is that
correct?

What are the gatchas is any?


Posted by Steven L Umbach on November 3, 2006, 3:27 pm
Please log in for more thread options
 That sounds like it should work. I suggest you try it on a test OU or test
domain first and be sure to backup the System State of at least one DC
before you implement changes so that you have a roll back plan. Just be sure
that the proper users can list/read or you may run into problems with them
changing their passwords and having Group Policy applied.

Steve


> We have a hosted enviornment in which we are planning to implement a
> single Forest/Domain model with an OU for each client (UsersOU1 for
> Client 1 and UsersOU2 for Client 2. However, the Client 1 does not want
> the users of Client 2 being able to view their users in UsersOU1 (i.e.
> they want the perception that they are the only client being serviced
> by us.
>
> I believe we can do this by removing 'List Content' rights from the
> UsersOU1 for Authenticated Users, but then individually allow they
> 'List Objects' permissions for users within their own OU. Is that
> correct?
>
> What are the gatchas is any?
>



Posted by Roger Abell [MVP] on November 3, 2006, 11:47 pm
Please log in for more thread options
So, if that gets you a little down the road, then I come
along and list out the account names by working with
the memberships in groups.


> We have a hosted enviornment in which we are planning to implement a
> single Forest/Domain model with an OU for each client (UsersOU1 for
> Client 1 and UsersOU2 for Client 2. However, the Client 1 does not want
> the users of Client 2 being able to view their users in UsersOU1 (i.e.
> they want the perception that they are the only client being serviced
> by us.
>
> I believe we can do this by removing 'List Content' rights from the
> UsersOU1 for Authenticated Users, but then individually allow they
> 'List Objects' permissions for users within their own OU. Is that
> correct?
>
> What are the gatchas is any?
>



Posted by chloe on November 4, 2006, 4:46 pm
Please log in for more thread options
Hmm!! interesting wouldn't that be addressed if the groups were
different for the two Clients and thus were used in context of a
sepecific OU only?

I agree that this is becoming a management nightmare in having to
maintain permissions but i wondering if this would be a cheaper options
as compared to creating a domain per client only to prevent them from
seing the list of users.

I am also looking at a product called Trusted Enterprise Manager, which
could be used to provide this functionality. However, the issue i have
is how to prevent these admins then having access to native tools like
AD users and computers to prevent them from accessing it natively
through AD.

Roger Abell [MVP] wrote:
> So, if that gets you a little down the road, then I come
> along and list out the account names by working with
> the memberships in groups.
>
>
> > We have a hosted enviornment in which we are planning to implement a
> > single Forest/Domain model with an OU for each client (UsersOU1 for
> > Client 1 and UsersOU2 for Client 2. However, the Client 1 does not want
> > the users of Client 2 being able to view their users in UsersOU1 (i.e.
> > they want the perception that they are the only client being serviced
> > by us.
> >
> > I believe we can do this by removing 'List Content' rights from the
> > UsersOU1 for Authenticated Users, but then individually allow they
> > 'List Objects' permissions for users within their own OU. Is that
> > correct?
> >
> > What are the gatchas is any?
> >


Posted by Steve Riley [MSFT] on November 4, 2006, 5:26 pm
Please log in for more thread options
: quoted-printable

You might also consider enabling something called the "list object" =
access mode. Normally, an AD forest's access mode (not to be confused =
with functionality modes) is "list content," which enables users to list =
the contents of various containers. In list object mode, users can't =
view the contents of containers unless they have explicit permissions to =
do so.

There's a brief explanation of the differences and the steps on how to =
configure list object mode here: http://www.chrisse.se/MAQB.asp?ID=3D34

A few years ago, when I was in MCS, I was involved in a project similar =
to what you're describing: using AD in a hosted environment. We put =
together some guidance, and I recommend that you follow the procedures =
in our deployment guide. See =
http://download.microsoft.com/download/win2000srv/spdep/101/NT5XP/EN-US/S=
P_AD_Deployment.doc.

______________________________________________________
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


Hmm!! interesting wouldn't that be addressed if the groups were
different for the two Clients and thus were used in context of a
sepecific OU only?

I agree that this is becoming a management nightmare in having to
maintain permissions but i wondering if this would be a cheaper =
options
as compared to creating a domain per client only to prevent them from
seing the list of users.

I am also looking at a product called Trusted Enterprise Manager, =
which
could be used to provide this functionality. However, the issue i have
is how to prevent these admins then having access to native tools like
AD users and computers to prevent them from accessing it natively
through AD.

Roger Abell [MVP] wrote:
> So, if that gets you a little down the road, then I come
> along and list out the account names by working with
> the memberships in groups.
>
>
> > We have a hosted enviornment in which we are planning to implement =
a
> > single Forest/Domain model with an OU for each client (UsersOU1 =
for
> > Client 1 and UsersOU2 for Client 2. However, the Client 1 does not =
want
> > the users of Client 2 being able to view their users in UsersOU1 =
(i.e.
> > they want the perception that they are the only client being =
serviced
> > by us.
> >
> > I believe we can do this by removing 'List Content' rights from =
the
> > UsersOU1 for Authenticated Users, but then individually allow they
> > 'List Objects' permissions for users within their own OU. Is that
> > correct?
> >
> > What are the gatchas is any?
> >

------=_NextPart_000_0220_01C7001D.33C5C880
Content-Type: text/html;
        charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dwindows-1252">
<STYLE></STYLE>

<META content=3D"MSHTML 6.00.5750.0" name=3DGENERATOR></HEAD>
<BODY id=3DMailContainerBody=20
style=3D"PADDING-RIGHT: 10px; PADDING-LEFT: 10px; FONT-SIZE: 12pt; =
COLOR: #000000; PADDING-TOP: 15px; FONT-FAMILY: Cambria"=20
bgColor=3D#ffffff leftMargin=3D0 topMargin=3D0 CanvasTabStop=3D"true" =
acc_role=3D"text"=20
name=3D"Compose message area">
<DIV>You might also consider enabling something called the "list object" =
access=20
mode. Normally, an AD forest's access mode (not to be confused with=20
functionality modes) is "list content," which enables users to list the =
contents=20
of various containers. In list object mode, users can't view the =
contents of=20
containers unless they have explicit permissions to do so.</DIV>
<DIV>&nbsp;</DIV>
<DIV>There's a brief explanation of the differences and the steps on how =
to=20
configure list object mode here: <A =
title=3Dhttp://www.chrisse.se/MAQB.asp?ID=3D34=20
href=3D"http://www.chrisse.se/MAQB.asp?ID=3D34">http://www.chrisse.se/MAQ=
B.asp?ID=3D34</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>A few years ago, when I was in MCS, I was involved in a project =
similar to=20
what you're describing: using AD in a hosted environment. We put =
together some=20
guidance, and I recommend that you follow the procedures in our =
deployment=20
guide. See <A=20
title=3Dhttp://download.microsoft.com/download/win2000srv/spdep/101/NT5XP=
/EN-US/SP_AD_Deployment.doc=20
href=3D"http://download.microsoft.com/download/win2000srv/spdep/101/NT5XP=
/EN-US/SP_AD_Deployment.doc">http://download.microsoft.com/download/win20=
00srv/spdep/101/NT5XP/EN-US/SP_AD_Deployment.doc</A>.</DIV>
<DIV><BR>______________________________________________________<BR>Steve =

Riley<BR><A title=3Dmailto:steve.riley@microsoft.com=20
R><A=20
title=3Dhttp://blogs.technet.com/steriley=20
href=3D"http://blogs.technet.com/steriley">http://blogs.technet.com/steri=
ley</A><BR><A=20
title=3Dhttp://www.protectyourwindowsnetwork.com/=20
href=3D"http://www.protectyourwindowsnetwork.com">http://www.protectyourw=
indowsnetwork.com</A></DIV>
<DIV>&nbsp;</DIV>
<DIV>&nbsp;</DIV>
<BLOCKQUOTE=20
style=3D"PADDING-RIGHT: 0px; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; =
BORDER-LEFT: #000000 2px solid; MARGIN-RIGHT: 0px">
<DIV>"chloe" &lt;<A title=3Dmailto:chloepra@yahoo.co.uk=20
wrote in=20
message <A =
=
1162676796.263748.228690@f16g2000cwb.googlegroups.com</A>...</DIV>Hmm!!=20
interesting wouldn't that be addressed if the groups were<BR>different =
for the=20
two Clients and thus were used in context of a<BR>sepecific OU =
only?<BR><BR>I=20
agree that this is becoming a management nightmare in having =
to<BR>maintain=20
permissions but i wondering if this would be a cheaper options<BR>as =
compared=20
to creating a domain per client only to prevent them from<BR>seing the =
list of=20
users.<BR><BR>I am also looking at a product called Trusted Enterprise =

Manager, which<BR>could be used to provide this functionality. =
However, the=20
issue i have<BR>is how to prevent these admins then having access to =
native=20
tools like<BR>AD users and computers to prevent them from accessing it =

natively<BR>through AD.<BR><BR>Roger Abell [MVP] wrote:<BR>&gt; So, if =
that=20
gets you a little down the road, then I come<BR>&gt; along and list =
out the=20
account names by working with<BR>&gt; the memberships in=20
groups.<BR>&gt;<BR>&gt;<BR>&gt; "chloe" &lt;<A=20
title=3Dmailto:chloepra@yahoo.co.uk=20
wrote in=20
message<BR>&gt; <A=20
=
1162565183.085915.181120@h48g2000cwc.googlegroups.com</A>...<BR>&gt;=20
&gt; We have a hosted enviornment in which we are planning to =
implement=20
a<BR>&gt; &gt; single Forest/Domain model with an OU for each client =
(UsersOU1=20
for<BR>&gt; &gt; Client 1 and UsersOU2 for Client 2. However, the =
Client 1=20
does not want<BR>&gt; &gt; the users of Client 2 being able to view =
their=20
users in UsersOU1 (i.e.<BR>&gt; &gt; they want the perception that =
they are=20
the only client being serviced<BR>&gt; &gt; by us.<BR>&gt; =
&gt;<BR>&gt; &gt; I=20
believe we can do this by removing 'List Content' rights from =
the<BR>&gt; &gt;=20
UsersOU1 for Authenticated Users, but then individually allow =
they<BR>&gt;=20
&gt; 'List Objects' permissions for users within their own OU. Is =
that<BR>&gt;=20
&gt; correct?<BR>&gt; &gt;<BR>&gt; &gt; What are the gatchas is =
any?<BR>&gt;=20
&gt;<BR></BLOCKQUOTE></BODY></HTML>

------=
Similar ThreadsPosted
Script to List all users permissions November 28, 2005, 8:13 am
Prevent browsing with UNC paths for Terminal Services users April 5, 2006, 2:05 pm
Security necessary to list all services February 21, 2007, 10:56 am
Permission list by user? June 4, 2007, 3:11 pm
Remove List Folder access only? March 16, 2006, 2:18 am
How to get a list of pending certificates outside of CertSrv January 5, 2007, 9:43 am
How to list member of local admin February 6, 2008, 1:23 pm
List of security fixes for 2003 July 17, 2008, 12:26 pm
Why Are List Folder / Read Data Combined? November 21, 2005, 10:45 pm
Command Line Utility for Audit List? December 30, 2006, 9:18 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap