Re: [ActiveDir] HIDE OU

[Za Vue]

Prying eyes of junior admins? I managed my own AD environment and do not hide any OU or User and we are not trusted with our main campus AD, however, the undergraduate departments are part of the campus AD. It took a year to figure why no one can rename a computer. The computer have to disjoin the domain, rename, and and then rejoin the domain, that is the only way. The main AD guys just said that is the way it is so live with it. I was asked by 2 departments to test it in my domain. I have no problem renaming computer accounts in AD. So we renamed a whole lab w/o any issue. They must have asked for Microsoft's help, and it turned out that the "Builtin" OU was hidden for security reason. For what reason I didn't ask. Authenticated users need READ access to that OU. Why? Microsoft does not know. So after they figured it out I wanted to see how they hide that OU.  One way to modify(hide) OUs and Users is to use ldifde.exe. I tested and it did work. So there is my solution. -Z.V. Al Mulnick wrote: I think that's a nice segueway back to asking, "why?"   What is it you need to accomplish that you would hide the OU and it's objects?   On 6/1/06, Timo Ed <[EMAIL PROTECTED]> wrote: be careful doing that... if you have users in that container and you do not give both the client machine and the user certain read props then policy will break, among other things. If your just trying to hide from AD mmc's then you can set the ShowAdvanceViewOnly attrib which will hide the object unless the admin has enabled 'Advanced View'. Rgds, Tim On 6/2/06, Daniel Gilbert <[EMAIL PROTECTED]> wrote: > We created OU's and removed all users except for Domain Admins (of > course we left the SYSTEM access).  The OU never shows up for > non-Domain Admins. > > Domain Admins have full access to the OU and can add as many objects as > they want. > > Dan List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx