With an explicit deny on ‘Students’ they can still read Students\2017 and so on.
From: [email protected] [mailto:[email protected]] On Behalf Of Nathan Shelby Sent: Thursday, January 19, 2017 3:08 PM To: [email protected] Subject: Re: [NTSysADM] Deny read on an OU Tree I would strongly recommend an explicit deny, just remove the ability to read https://www.microsoftpressstore.com/articles/article.aspx?p=2231764&seqNum=3 The above explains how to accomplish your goal, you'll need to adjust inheritance accordingly if you want it to apply down level. Note that this change may have greater impacts than just this. Nathan Shelby [email protected]<mailto:[email protected]> 425-205-9047 On Thu, Jan 19, 2017 at 11:16 AM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is a straight OU lookup but I can only point it at one OU. There are multiple OU’s I need to target that are all under ‘Elyriaschools’ [cid:[email protected]] As you can see Students have sub ou’s for the year they are allegedly going to graduate. I want to deny read to all those years, the entirety of the Students OU. You would think a deny on the account that does the LDAP lookups on ‘Students’ would deny on all the sub OU’s. But it doesn’t, I have to put a deny on each Year. Am I missing something, can I do a single deny somehow on Students? Each school year a new folder is created in Students for the incoming Kindergarten folks….you know we will forget to do this next fall.
