Archived from groups: microsoft.public.win2000.security (
More info?)
I don't consider it a security loophole. AD is supposed to be available for users to
find resources which may include who the administrators are. If you don't want
someone to see the administrators in AD then put the admin accounts in their own OU
and do not give users/everyone any permissions to that OU and they will not be able
to see them. Also administrators and all users need to use complex passwords and any
administrator that cares about security would have auditing of account logon events,
logon events, and account management enabled and have an account lockout policy that
has a lockout threshold of no less than ten bad attempts. It would be very obvious
when a user on the lan would be trying to hack an administrators account which would
get that user fired and escorted to the door by security in most businesses. ---
Steve
"Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
news:812A5A7C-2ED1-436E-AAF8-F39720187AB7@microsoft.com...
>
> If there is a security loophole in AD? If a user know which users belonged to
Domain Admins or Administrators, he could try to just hack the password for those
Administrators to be able to get full access rights. In addition, he also know
whole domain information, such as user personal information, group policies applied
to different groups, OUs, which server is domain controllers, ..., etc.
>
> Why a normal domain users could access to AD tree?
>
>
>
>
> "Steven Umbach" wrote:
>
> > A regular user can "see" items in AD but will not be able to do anything such as
> > modify/create objects with restricted permissions. You can set permissions on AD
> > objects much like ntfs permissions however if a user does not have access to
> > some objects, then they will not be able to change their password or have Group
> > Policy applied to them. I would not restrict access to the domain container,
> > domain controllers container, or the container/OU where their user account
> > resides. You could for instance remove all their permissions from an OU that
> > their account is not in, nor need access to anything in it. There is also a
> > Group Policy setting under user configuration/administrative
> > templates/desktop/active directory - hide active directory folder that may help
> > restrict casual browsing of AD. --- Steve
> >
> >
> > "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
> > news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
> > >
> > > Once a user computer install "adminpak.msi" and joined a domain, And then he
> > logon as domain user and run the "Active Directory Users and Groups" and other
> > AD utilities, he could be able to view the AD contents such as all Servers, all
> > Account Information, all Group Policies, ...?
> > >
> > > Other than restrict the users to install the adminpak.msi and use the AD
> > utilties in his computer, how I could set in AD to restrict or disable the users
> > to read the AD contents?
> > >
> > >
> > >
> >
> >
> >