Unless your AD is in List Object Mode (unlikely and not really recommended usually), the ACL on every single object isn't evaluated before returning search results.
Deny's also work a little differently in AD than on the file system so this probably isn't something you want. Thanks, Brian Desmond w - 312.625.1438 | c - 312.731.3132 From: [email protected] [mailto:[email protected]] On Behalf Of Kennedy, Jim Sent: Thursday, January 19, 2017 1:17 PM To: '[email protected]' <[email protected]> Subject: [NTSysADM] Deny read on an OU Tree Putting up a wireless SSID for staff using a Cisco WCL. Best way to do this is a straight OU lookup but I can only point it at one OU. There are multiple OU's I need to target that are all under 'Elyriaschools' [cid:[email protected]] As you can see Students have sub ou's for the year they are allegedly going to graduate. I want to deny read to all those years, the entirety of the Students OU. You would think a deny on the account that does the LDAP lookups on 'Students' would deny on all the sub OU's. But it doesn't, I have to put a deny on each Year. Am I missing something, can I do a single deny somehow on Students? Each school year a new folder is created in Students for the incoming Kindergarten folks....you know we will forget to do this next fall.
