Title: Re: [ActiveDir] hitting users
Alternatively, you could just delete all the users. It would have about the same effect as removing localsytem access, but I find it to be a cleaner solution. This would also solve the problem of those nasty little legacy API calls. ; )
But maybe what you really want, Tom, is to provide a view into your directory for your delegated admins? I don't think you ever actually said why you want to do this. If my assumption is correct, there are tons of example web apps that can give those admins a view into the directory to see their users and no one else’s. Then you could just setup a group policy to keep the various and sundry admin tools from being executable unless on a pre-designated admin workstation.
> From: joe <[EMAIL PROTECTED]>
> Reply-To: <[EMAIL PROTECTED]>
> Date: Thu, 27 May 2004 19:32:56 -0400
> To: <[EMAIL PROTECTED]>
> Subject: RE: [ActiveDir] hidding users
>
> Hiding the user from the ADUC and other LDAP based tools would be fairly
> trivial, you just have to throw the users into an OU with locked down perms
> (like only let the admin groups and system have access) and then strip the
> perms on the user objects themselves of everything but administrators.
>
> However, the problem is going to be with anyone using legacy API calls (NET
> USER, NET GROUP, NET LOCALGROUP, numerous third party tools, WinNT
> Provider). I believe that is all processed by the Domain Controller as
> localsystem so it would bypass all of the delegation. I could be wrong on
> that assessment but I don't think so. You can't lock the IDs out from
> localsystem access. I mean you could try and if it actually let you and
> worked I would expect you would have some serious issues.
>
> joe
>
>
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
> Sent: Thursday, May 20, 2004 2:00 PM
> To: ActiveDir (E-mail)
> Subject: [ActiveDir] hidding users
>
> is there an attribute i can set in adsiedit,ldp,etc to hide a user from
> appearing in the usual admin gui utlilties like aduc?
> also when you look in group memebership, to not have s(he) appear there as
> well?
> thanls
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Sent using the Microsoft Entourage 2004 for Mac Test Drive.
- [ActiveDir] hidding users Kern, Tom
- RE: [ActiveDir] hidding users Lou Vega
- RE: [ActiveDir] hidding users cflesher
- AW: [ActiveDir] hidding users Ulf B. Simon-Weidner
- Re: AW: [ActiveDir] hidding users Mike Baudino
- RE: [ActiveDir] hidding users joe
- RE: [ActiveDir] hitting users Brent Westmoreland
- RE: [ActiveDir] hidding users Mulnick, Al
- RE: [ActiveDir] hidding users Kern, Tom
