3

I am delegating a group of users to a specific person to be able to keep up with thier account management, and I have delegated them the authority to do this to just this group. Is there a way that I can also restrict that same person from viewing the group policies or other organizational units on the ADUC?

Thanks for your time in advance.

Cory R. Platt
  • 41
  • 1
  • 3
  • 3
    What do you think you're going to gain from this? By default *any* user can view *any* Group Policy that you're applying to them (or any group policy in the domain for that matter). Also, *any* user has read access to almost all objects in AD, even before delegation. Just because they don't have ADUC installed doesn't mean that they don't have access to view these objects by other means. This isn't a security issue in and of itself. What are you actually trying to solve? – MDMarra Apr 06 '13 at 23:33
  • 3
    @MDMarra I'm not sure about OP's case in particular, or how good of an idea it is really, but I have definitely seen multitenant environments where it was mandated by company security policy that members of certain OUs musn't be allowed to browse the contents of other people's OUs. So in that case, Object List mode can be appropriate. But it's definitely not a decision that should be made lightly. In fact it has downsides, so it should only be used as a last resort. http://blogs.technet.com/b/askds/archive/2011/06/17/friday-mail-sack-gargamel-edition.aspx#listobject – Ryan Ries Apr 06 '13 at 23:51

2 Answers2

6

Yes, but it's complicated. What you need to do is put your domain in List Object mode. It's done by setting the third number in the dsHeuristics attribute in the configuration naming context to 1 in ADSI edit.

http://technet.microsoft.com/en-us/library/cc546864.aspx

Once you've done that, you will unlock List Object mode, which you will see as a new permission or ACE that you can assign to Active Directory objects.

It's reminiscent of the "bypass traversal checking" privilege in Windows security that allows a user to traverse a folder that they do not have permissions to in order to get to a folder that they do have permissions to.

You mostly see AD List Object mode used in multi-tenant environments where you have multiple customers sharing the same AD domain, and you don't want them to be able to see one another's stuff.

Keep in mind though, that you'll run into Group Policy application errors on your clients unless you are very, very precise with your permissions. The GP engine on a client needs read gpLink, read gpOptions, read cn and read Distinguished Name on every OU in the chain from where they reside all the way up to the root of the domain, or else GPO application will fail.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
-1

Hopefully this may help:

Guide to Custom MMC

Lloyd
  • 1
  • 1
    Answers that are primarily just a link aren't as useful as ones that actually explain the solution. What happens when MSMVPs.com goes down, or changes the site structure in a way that breaks the link? – Hyppy Dec 15 '14 at 17:44