how to stop giving out account info?

djc

Distinguished
Jun 16, 2004
75
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

I was suprised to see that by just using My Network Places -> entire
network -> directory -> then right-clicking on the domain name and choosing
Find I could get so much account information! For instance even though I
renamed my admin account following good practices its easy to see what it is
any whay by searching on 'admin'.. you can see the account plus the
administrators group which you can double-click to see all the members of???
any user can see all the groups and their membership. As well as all OU's
and what objects are in them. I guess since I am used to using the run box
and command prompt so often I have neglected to go see what regular users
may see.

How can I stop this? Although its usefull to be able to search AD like this
if you trust everyone.... nuff said. Trust no one. How do I stop publishing
secure information?

On a funny note: if you are a dope like me and did not know this was a
feature AND you named your OU's with names like 'AuditTheseFools' and
'IDontTrustTheseGuys' in order to link GPO's to them then you will be hoping
your users don't know about this feature either. hehe!

any info would be greatly appreciated.
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

There is a user configuration Group Policy you can implement to hide the
directory folder. Go to user configuration/administrative
templates/desktop/Active Directory to enable such. Note that will not stop
users from searching AD by other means. You can also hide AD objects by
managing the read permissions in their security properties. However this can
be tricky. For instance users do need read permissions for the domain
container, the container their account resides in, and I believe the domain
controller container. If they do not have read permissions they will not be
able to change their password and Group Policy user configuration will not
apply to them. However if you have a container such as an Organizational
Unit that users are not in, nor need to access anything in it you can remove
their read permissions from that OU. For instance you could have an OU with
specific users having permissions to it and then remove authenticated
users/everyone group permissions. Be sure to have a recent backup of the
System State for a domain controller before messing with AD permissions just
in case though dsacls /s can be used to retore default permissions to AD
objects.. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
syntax.

"djc" <noone@nowhere.com> wrote in message
news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
>I was suprised to see that by just using My Network Places -> entire
> network -> directory -> then right-clicking on the domain name and
> choosing
> Find I could get so much account information! For instance even though I
> renamed my admin account following good practices its easy to see what it
> is
> any whay by searching on 'admin'.. you can see the account plus the
> administrators group which you can double-click to see all the members
> of???
> any user can see all the groups and their membership. As well as all OU's
> and what objects are in them. I guess since I am used to using the run box
> and command prompt so often I have neglected to go see what regular users
> may see.
>
> How can I stop this? Although its usefull to be able to search AD like
> this
> if you trust everyone.... nuff said. Trust no one. How do I stop
> publishing
> secure information?
>
> On a funny note: if you are a dope like me and did not know this was a
> feature AND you named your OU's with names like 'AuditTheseFools' and
> 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
> hoping
> your users don't know about this feature either. hehe!
>
> any info would be greatly appreciated.
>
>
 

djc

Distinguished
Jun 16, 2004
75
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

Thanks Steve. By the way I'm curious. You answer a lot of my posts and are
obviously very knowledgable.
1) do you hold any certifications? if so which ones?
2) Are you paid to participate in these MS newsgroups? meaning, do you work
for Microsoft directly or indirectly to provide this kind of assistance to
the general IT public?

The reason I ask is NOT because I doubt any of the information you give but
really just becuase I'm curious about different things that knowledgeable IT
folk can get involved in and what kind of certification, if any, they
typically have or require. Just poking around and what things I may like to
become involved in in the future.

Thanks,
-djc

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:WDAdd.505554$8_6.377341@attbi_s04...
> There is a user configuration Group Policy you can implement to hide the
> directory folder. Go to user configuration/administrative
> templates/desktop/Active Directory to enable such. Note that will not stop
> users from searching AD by other means. You can also hide AD objects by
> managing the read permissions in their security properties. However this
can
> be tricky. For instance users do need read permissions for the domain
> container, the container their account resides in, and I believe the
domain
> controller container. If they do not have read permissions they will not
be
> able to change their password and Group Policy user configuration will not
> apply to them. However if you have a container such as an Organizational
> Unit that users are not in, nor need to access anything in it you can
remove
> their read permissions from that OU. For instance you could have an OU
with
> specific users having permissions to it and then remove authenticated
> users/everyone group permissions. Be sure to have a recent backup of the
> System State for a domain controller before messing with AD permissions
just
> in case though dsacls /s can be used to retore default permissions to AD
> objects.. -- Steve
>
> http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
> syntax.
>
> "djc" <noone@nowhere.com> wrote in message
> news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
> >I was suprised to see that by just using My Network Places -> entire
> > network -> directory -> then right-clicking on the domain name and
> > choosing
> > Find I could get so much account information! For instance even though I
> > renamed my admin account following good practices its easy to see what
it
> > is
> > any whay by searching on 'admin'.. you can see the account plus the
> > administrators group which you can double-click to see all the members
> > of???
> > any user can see all the groups and their membership. As well as all
OU's
> > and what objects are in them. I guess since I am used to using the run
box
> > and command prompt so often I have neglected to go see what regular
users
> > may see.
> >
> > How can I stop this? Although its usefull to be able to search AD like
> > this
> > if you trust everyone.... nuff said. Trust no one. How do I stop
> > publishing
> > secure information?
> >
> > On a funny note: if you are a dope like me and did not know this was a
> > feature AND you named your OU's with names like 'AuditTheseFools' and
> > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
> > hoping
> > your users don't know about this feature either. hehe!
> >
> > any info would be greatly appreciated.
> >
> >
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Hi Djc.

Yes I hold some certifications. I am a A+ computer technician, an MCSE in
Windows NT4.0 and Windows 2000, and a MCSA in Windows 2003.

I am not paid to participate in newsgroups. I do it for fun, for learning,
and the satisfaction helping others where I can. My only affiliation with
Microsoft is that I am an MVP in Windows Security. For more information on
Microsoft MVP program see the link below.

http://mvp.support.microsoft.com/

Certifications are a good way to show that you have a basic level of
knowledge for a product or technology. To pursue a MCSE you are forced to
learn and study many aspects of the operating system for wide based
knowledge of it IF you do it for the purpose of learning it because you have
want to learn it and be good at it and not to just have the
ertification. --- Steve


"djc" <noone@nowhere.com> wrote in message
news:OPYZuv3tEHA.3156@TK2MSFTNGP12.phx.gbl...
> Thanks Steve. By the way I'm curious. You answer a lot of my posts and are
> obviously very knowledgable.
> 1) do you hold any certifications? if so which ones?
> 2) Are you paid to participate in these MS newsgroups? meaning, do you
> work
> for Microsoft directly or indirectly to provide this kind of assistance to
> the general IT public?
>
> The reason I ask is NOT because I doubt any of the information you give
> but
> really just becuase I'm curious about different things that knowledgeable
> IT
> folk can get involved in and what kind of certification, if any, they
> typically have or require. Just poking around and what things I may like
> to
> become involved in in the future.
>
> Thanks,
> -djc
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:WDAdd.505554$8_6.377341@attbi_s04...
>> There is a user configuration Group Policy you can implement to hide the
>> directory folder. Go to user configuration/administrative
>> templates/desktop/Active Directory to enable such. Note that will not
>> stop
>> users from searching AD by other means. You can also hide AD objects by
>> managing the read permissions in their security properties. However this
> can
>> be tricky. For instance users do need read permissions for the domain
>> container, the container their account resides in, and I believe the
> domain
>> controller container. If they do not have read permissions they will not
> be
>> able to change their password and Group Policy user configuration will
>> not
>> apply to them. However if you have a container such as an Organizational
>> Unit that users are not in, nor need to access anything in it you can
> remove
>> their read permissions from that OU. For instance you could have an OU
> with
>> specific users having permissions to it and then remove authenticated
>> users/everyone group permissions. Be sure to have a recent backup of the
>> System State for a domain controller before messing with AD permissions
> just
>> in case though dsacls /s can be used to retore default permissions to AD
>> objects.. -- Steve
>>
>> http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
>> syntax.
>>
>> "djc" <noone@nowhere.com> wrote in message
>> news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
>> >I was suprised to see that by just using My Network Places -> entire
>> > network -> directory -> then right-clicking on the domain name and
>> > choosing
>> > Find I could get so much account information! For instance even though
>> > I
>> > renamed my admin account following good practices its easy to see what
> it
>> > is
>> > any whay by searching on 'admin'.. you can see the account plus the
>> > administrators group which you can double-click to see all the members
>> > of???
>> > any user can see all the groups and their membership. As well as all
> OU's
>> > and what objects are in them. I guess since I am used to using the run
> box
>> > and command prompt so often I have neglected to go see what regular
> users
>> > may see.
>> >
>> > How can I stop this? Although its usefull to be able to search AD like
>> > this
>> > if you trust everyone.... nuff said. Trust no one. How do I stop
>> > publishing
>> > secure information?
>> >
>> > On a funny note: if you are a dope like me and did not know this was a
>> > feature AND you named your OU's with names like 'AuditTheseFools' and
>> > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
>> > hoping
>> > your users don't know about this feature either. hehe!
>> >
>> > any info would be greatly appreciated.
>> >
>> >
>>
>>
>
>
 

djc

Distinguished
Jun 16, 2004
75
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

ok. Thanks for the info Steve. And thanks for all the help!
-djc

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:Nu_dd.284897$MQ5.164061@attbi_s52...
> Hi Djc.
>
> Yes I hold some certifications. I am a A+ computer technician, an MCSE in
> Windows NT4.0 and Windows 2000, and a MCSA in Windows 2003.
>
> I am not paid to participate in newsgroups. I do it for fun, for learning,
> and the satisfaction helping others where I can. My only affiliation with
> Microsoft is that I am an MVP in Windows Security. For more information on
> Microsoft MVP program see the link below.
>
> http://mvp.support.microsoft.com/
>
> Certifications are a good way to show that you have a basic level of
> knowledge for a product or technology. To pursue a MCSE you are forced to
> learn and study many aspects of the operating system for wide based
> knowledge of it IF you do it for the purpose of learning it because you
have
> want to learn it and be good at it and not to just have the
> ertification. --- Steve
>
>
> "djc" <noone@nowhere.com> wrote in message
> news:OPYZuv3tEHA.3156@TK2MSFTNGP12.phx.gbl...
> > Thanks Steve. By the way I'm curious. You answer a lot of my posts and
are
> > obviously very knowledgable.
> > 1) do you hold any certifications? if so which ones?
> > 2) Are you paid to participate in these MS newsgroups? meaning, do you
> > work
> > for Microsoft directly or indirectly to provide this kind of assistance
to
> > the general IT public?
> >
> > The reason I ask is NOT because I doubt any of the information you give
> > but
> > really just becuase I'm curious about different things that
knowledgeable
> > IT
> > folk can get involved in and what kind of certification, if any, they
> > typically have or require. Just poking around and what things I may like
> > to
> > become involved in in the future.
> >
> > Thanks,
> > -djc
> >
> > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> > news:WDAdd.505554$8_6.377341@attbi_s04...
> >> There is a user configuration Group Policy you can implement to hide
the
> >> directory folder. Go to user configuration/administrative
> >> templates/desktop/Active Directory to enable such. Note that will not
> >> stop
> >> users from searching AD by other means. You can also hide AD objects by
> >> managing the read permissions in their security properties. However
this
> > can
> >> be tricky. For instance users do need read permissions for the domain
> >> container, the container their account resides in, and I believe the
> > domain
> >> controller container. If they do not have read permissions they will
not
> > be
> >> able to change their password and Group Policy user configuration will
> >> not
> >> apply to them. However if you have a container such as an
Organizational
> >> Unit that users are not in, nor need to access anything in it you can
> > remove
> >> their read permissions from that OU. For instance you could have an OU
> > with
> >> specific users having permissions to it and then remove authenticated
> >> users/everyone group permissions. Be sure to have a recent backup of
the
> >> System State for a domain controller before messing with AD permissions
> > just
> >> in case though dsacls /s can be used to retore default permissions to
AD
> >> objects.. -- Steve
> >>
> >> http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 --
dsacls
> >> syntax.
> >>
> >> "djc" <noone@nowhere.com> wrote in message
> >> news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
> >> >I was suprised to see that by just using My Network Places -> entire
> >> > network -> directory -> then right-clicking on the domain name and
> >> > choosing
> >> > Find I could get so much account information! For instance even
though
> >> > I
> >> > renamed my admin account following good practices its easy to see
what
> > it
> >> > is
> >> > any whay by searching on 'admin'.. you can see the account plus the
> >> > administrators group which you can double-click to see all the
members
> >> > of???
> >> > any user can see all the groups and their membership. As well as all
> > OU's
> >> > and what objects are in them. I guess since I am used to using the
run
> > box
> >> > and command prompt so often I have neglected to go see what regular
> > users
> >> > may see.
> >> >
> >> > How can I stop this? Although its usefull to be able to search AD
like
> >> > this
> >> > if you trust everyone.... nuff said. Trust no one. How do I stop
> >> > publishing
> >> > secure information?
> >> >
> >> > On a funny note: if you are a dope like me and did not know this was
a
> >> > feature AND you named your OU's with names like 'AuditTheseFools' and
> >> > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
> >> > hoping
> >> > your users don't know about this feature either. hehe!
> >> >
> >> > any info would be greatly appreciated.
> >> >
> >> >
> >>
> >>
> >
> >
>
>