As stated, you can do that with GPO if you know which app you want to block. You could go so far to block using the hash features if you want to grab apps that aren't MMC based. Just wanted to be sure you got a complete answer :)
Al -----Original Message----- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Thursday, January 08, 2004 11:48 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Don't want users to view Directory Info Thanks for the comments. Really just wanted to eliminate an easily accessable, easy to use GUI based tool. Ya know.... -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, January 07, 2004 5:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Don't want users to view Directory Info agreed, blocking the tools won't help bit - the users will already get quite far simply by using the built-in "Find People" feature (with "Look in" set to Active Directory) and there are many other powerful LDAP browsers for easy download. With Win2k clients you could also easily "browse" through the Network Neighboorhood - can't get much simpler. So it really comes down to restricting read-access on the OUs you don't want everyone to browse through (but you need to know what you're doing...) /Guido -----Original Message----- From: Mulnick, Al [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 7. Januar 2004 21:04 To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Don't want users to view Directory Info Are you talking about blocking the ADU&C MMC? If so, that's a GPO that prevents the use of MMC's or that specific MMC from initiating. FWIW, you aren't buying much by keeping them from opening any one particular app for reading purposes. The idea of an LDAP directory is the ability to read things really fast. Your users have almost limitless avenues to read the directory, i.e. scripts (easily downloaded), applications(LDP for example), etc. If your permissions are appropriate, is there harm in them reading the directory that's worth the overhead of blocking one particular tool? Al -----Original Message----- From: Douglas M. Long [mailto:[EMAIL PROTECTED] Sent: Wednesday, January 07, 2004 1:35 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Don't want users to view Directory Info OK, so I thought there as a GPO that I could set so that a "domain user" could not just open up ADUC and look at everything. Am I just blind, or is there something else I have to do? List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
