Hiding the user from the ADUC and other LDAP based tools would be fairly trivial, you just have to throw the users into an OU with locked down perms (like only let the admin groups and system have access) and then strip the perms on the user objects themselves of everything but administrators.
However, the problem is going to be with anyone using legacy API calls (NET USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT Provider). I believe that is all processed by the Domain Controller as localsystem so it would bypass all of the delegation. I could be wrong on that assessment but I don't think so. You can't lock the IDs out from localsystem access. I mean you could try and if it actually let you and worked I would expect you would have some serious issues. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 20, 2004 2:00 PM To: ActiveDir (E-mail) Subject: [ActiveDir] hidding users is there an attribute i can set in adsiedit,ldp,etc to hide a user from appearing in the usual admin gui utlilties like aduc? also when you look in group memebership, to not have s(he) appear there as well? thanls List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
