Simplest solution is the one you
mentioned. Otherwise you can set the third byte in the DSHEURISTICS attribute
to 1, i.e. xx1 – leave the other two values alone, as they influence your
ANR set and how search results get returned. This enables the list permission
in AD.
With this permission enabled you’ll
use list and list content permissions to limit the visibility of objects in AD.
From: Dave Fugleberg
[mailto:[EMAIL PROTECTED]
Sent: 22 July 2005 03:16 PM
To: [email protected]
Subject: [ActiveDir] Hiding an OU
I have an OU (call it OUX) that contains a bunch of
OUs, which contain users. I want to hide the
OU so
that only administrators and members of one
specific
group can see it if they browse the directory (say
with Windows 2000, or LDP).
I also want any new OUs or other objects that I
create
under OUX to get the same treatment. I don't
care if
others can see OUX itself.
I know that Authenticated Users gets lots of read
permissions on new objects from the default
security
descriptors (these have not been changed).
This
domain also has Everyone still in the Pre-Windows
2000
Compatible Access group, because nobody has taken
time
to figure out if it can be removed without
screwing
anything up. The domain is W2K native with
some W2K3
DCs and no clients below NT4 SP4.
I figured out a way to do most of this, but I was
hoping the experts here could tell me how they
would
approach the issue. My solution ended up
blocking
inheritance and removing the read permission for
each
sub-OU manually...
Thanks!
Start
your day with Yahoo! - make it your home page
|
- RE: [ActiveDir] Hiding an OU Nicolas Blank
-
