I would strongly recommend an explicit deny, just remove the ability to read
https://www.microsoftpressstore.com/articles/article.aspx?p=2231764&seqNum=3 The above explains how to accomplish your goal, you'll need to adjust inheritance accordingly if you want it to apply down level. Note that this change may have greater impacts than just this. Nathan Shelby [email protected] 425-205-9047 On Thu, Jan 19, 2017 at 11:16 AM, Kennedy, Jim <[email protected] > wrote: > Putting up a wireless SSID for staff using a Cisco WCL. Best way to do > this is a straight OU lookup but I can only point it at one OU. There are > multiple OU’s I need to target that are all under ‘Elyriaschools’ > > > > > > > > > > > > As you can see Students have sub ou’s for the year they are allegedly > going to graduate. I want to deny read to all those years, the entirety of > the Students OU. You would think a deny on the account that does the LDAP > lookups on ‘Students’ would deny on all the sub OU’s. > > > > But it doesn’t, I have to put a deny on each Year. > > > > Am I missing something, can I do a single deny somehow on Students? Each > school year a new folder is created in Students for the incoming > Kindergarten folks….you know we will forget to do this next fall. >
