Prevent Domain Users From Browsing Around in Active Directory?

I setup a custom Taskpad for users that had a need to edit description fields
for computer accounts in certain OUs. It seemed fine until I noticed it was
pretty easy to accidently or purposefully break out of their assigned OU in
the Taspad view and end up browsing the entire directory structure. Even
though I removed most the menus and toolbars, all they have to do is right
click to get around this.

I also noticed that if any domain user downloads and installs the Active
Directory Users and Computers tool on their XP machine, they can get view the
entire active directory structure when they have no business doing that.

Is there anyway to block their access to random domain users browsing around
in AD without the restriction causing problems with their needed permissions
for authentication or changing their passwords?

In news:FB9B6751-DC89-45B6-9FD1-AAC714C8ECED@microsoft.com,
Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> I setup a custom Taskpad for users that had a need to edit
> description fields for computer accounts in certain OUs. It seemed
> fine until I noticed it was pretty easy to accidently or purposefully
> break out of their assigned OU in the Taspad view and end up browsing
> the entire directory structure. Even though I removed most the menus
> and toolbars, all they have to do is right click to get around this.
>
> I also noticed that if any domain user downloads and installs the
> Active Directory Users and Computers tool on their XP machine, they
> can get view the entire active directory structure when they have no
> business doing that.
>
> Is there anyway to block their access to random domain users browsing
> around in AD without the restriction causing problems with their
> needed permissions for authentication or changing their passwords?

When you create the custom MMC, do not allow context menus, otherwise you
will see the results you are currently experiencing.


--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
Microsoft Certified Trainer
aceman@mvps.RemoveThisPart.org

For urgent issues, you may want to contact Microsoft PSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

This is MMC 3.0.
I don't see any option to turn that off. Users can still right click empty
space and choose View, Advanced Features and it then pops them out of the
desired OU to the root of the domain.



"Ace Fekay [Microsoft Certified Trainer]" wrote:


> When you create the custom MMC, do not allow context menus, otherwise you
> will see the results you are currently experiencing.
>
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSA Messaging, MCT
> Microsoft Certified Trainer
> aceman@mvps.RemoveThisPart.org
>
> For urgent issues, you may want to contact Microsoft PSS directly. Please
> check http://support.microsoft.com for regional support phone numbers.
>
>

In news:94E335DE-7162-4C5A-B976-B8244B06CF92@microsoft.com,
Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> This is MMC 3.0.
> I don't see any option to turn that off. Users can still right click
> empty space and choose View, Advanced Features and it then pops them
> out of the desired OU to the root of the domain.

It's a matter of which options you've chosen. Version 2 and 3 are pretty
much the same, just look a little different. Follow this sequence. This is a
guideline. You can customize this as well.

Custom ADUC MMC:


The last ones I created for one client, and one for each 'location' OU, I
left the rt-click context, and the tree view (left pane and right pane), but
I removed everything else including the file menu buttons and such. So under
View, Customize, uncheck everything except the top one that says Console
Tree. This way they can't go up level or click any of the things in there.
But they will have the rt-click feature.

MMC 2 and 3 are the same:
Start/run/mmc enter
File/Add Remove Snap-in/Add ADUC
Drill down under the domain to the OU you want.
Rt-click on that OU, new window from here.
A new window pops up with the OU in the left pane and the contents in the
right pane.
Close the original ADUC window leaving the new window you just created.
Expand the window to take up the whole console.
Now they will not be able to go up levels and are 'stuck' in this OU.
View/Customize
Uncheck everything but Console Tree.
File/Options Choose Console Mode:
User mode: Limited Accessm single window
Check: Do not Save Changes to this console
Uncheck: Allow the user to customize views
Save it. Logon as a test user delegated whatever perms to do on those users
and test it.

If you want to eliminate the rt-clicking on a user account, uncheck the
Console Tree above and change the console view by rt-clicking on the OU,
choose New Task View, and choose a vertical or horizontal list, then choose
to create a new task, menu command, highlight a user account, choose reset
pasword, or anything else in the right column, choose an icon, and finish.

Copy the MSC file via a UNC connected to the delegated person's
workstation's Doc and Setttings\username\desktop folder.

Then copy over two DLLS files to their system32 folder:

adprop.dll (for object properties)
dsadmin.dll (ability to alter object properties)
dsprop.dll (for object properties related to directory services)

(All three of these are needed on a 2003 DC or the ADUC won't open. However,
on a client machine, you only need two. If I were to allow users to change
passwords and create a custom MMC for just that OU, then all I need is
adprop.dll and dsadmin.dll).

Then I use PSEXEC to regsrv32 them into their machines. Then email them or
call them and tell them to get off their butts and get working...

Ace

Unfortunately, that did not work.
The user can still right click on empty space, select VIEW, ADVANCED
FEATURES and they are no longer stuck in the OU. They are popped back at out
the root of the demain where they may get lost or browse around nosily.
I am not worried about them right clicking on objects the OU they are
assigned, but I need to force them to stay in that OU.

"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:94E335DE-7162-4C5A-B976-B8244B06CF92@microsoft.com,
> Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> > This is MMC 3.0.
> > I don't see any option to turn that off. Users can still right click
> > empty space and choose View, Advanced Features and it then pops them
> > out of the desired OU to the root of the domain.
>
> It's a matter of which options you've chosen. Version 2 and 3 are pretty
> much the same, just look a little different. Follow this sequence. This is a
> guideline. You can customize this as well.
>
> Custom ADUC MMC:
>
>
> The last ones I created for one client, and one for each 'location' OU, I
> left the rt-click context, and the tree view (left pane and right pane), but
> I removed everything else including the file menu buttons and such. So under
> View, Customize, uncheck everything except the top one that says Console
> Tree. This way they can't go up level or click any of the things in there.
> But they will have the rt-click feature.
>
> MMC 2 and 3 are the same:
> Start/run/mmc enter
> File/Add Remove Snap-in/Add ADUC
> Drill down under the domain to the OU you want.
> Rt-click on that OU, new window from here.
> A new window pops up with the OU in the left pane and the contents in the
> right pane.
> Close the original ADUC window leaving the new window you just created.
> Expand the window to take up the whole console.
> Now they will not be able to go up levels and are 'stuck' in this OU.
> View/Customize
> Uncheck everything but Console Tree.
> File/Options Choose Console Mode:
> User mode: Limited Accessm single window
> Check: Do not Save Changes to this console
> Uncheck: Allow the user to customize views
> Save it. Logon as a test user delegated whatever perms to do on those users
> and test it.
>
> If you want to eliminate the rt-clicking on a user account, uncheck the
> Console Tree above and change the console view by rt-clicking on the OU,
> choose New Task View, and choose a vertical or horizontal list, then choose
> to create a new task, menu command, highlight a user account, choose reset
> pasword, or anything else in the right column, choose an icon, and finish.
>
> Copy the MSC file via a UNC connected to the delegated person's
> workstation's Doc and Setttings\username\desktop folder.
>
> Then copy over two DLLS files to their system32 folder:
>
> adprop.dll (for object properties)
> dsadmin.dll (ability to alter object properties)
> dsprop.dll (for object properties related to directory services)
>
> (All three of these are needed on a 2003 DC or the ADUC won't open. However,
> on a client machine, you only need two. If I were to allow users to change
> passwords and create a custom MMC for just that OU, then all I need is
> adprop.dll and dsadmin.dll).
>
> Then I use PSEXEC to regsrv32 them into their machines. Then email them or
> call them and tell them to get off their butts and get working...
>
> Ace
>
>

In news:BE04F0BA-E646-43A8-9972-1862743FE207@microsoft.com,
Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> Unfortunately, that did not work.
> The user can still right click on empty space, select VIEW, ADVANCED
> FEATURES and they are no longer stuck in the OU. They are popped
> back at out the root of the demain where they may get lost or browse
> around nosily.
> I am not worried about them right clicking on objects the OU they are
> assigned, but I need to force them to stay in that OU.
>

Are you sure you followed each step? The steps and settings I outlined are
designed to remove the View option in the menu. You may have missed a step.
Possibly this step?
View/Customize
Uncheck everything but Console Tree.

Otherwise, when I saved it and opened it, I had the ability to right click
as anyone can in ADUC, and that is based on the ADUC. The MMC instructions
just minimize and control view, but the ADUC has it's own context, and I'm
not sure if you can change that in the DLLs.

Here's a link on it. But I gave more details with additional info about the
DLLs.
How To Create Custom MMC Snap-in Tools Using Microsoft Management
http://support.microsoft.com/kb/230263


Ace

Yes, those instructions removed the View option from the top menu, but that
is not enough because that is not the only place it exists.
There is another View option when you right click on empty space that have
the option (View, Advanced Features) that is not removed.
When the user selects that option, they are automatically moved to the root
of the forest.

This is the problem that remains unsolved.


"Ace Fekay [Microsoft Certified Trainer]" wrote:

> In news:BE04F0BA-E646-43A8-9972-1862743FE207@microsoft.com,
> Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> > Unfortunately, that did not work.
> > The user can still right click on empty space, select VIEW, ADVANCED
> > FEATURES and they are no longer stuck in the OU. They are popped
> > back at out the root of the demain where they may get lost or browse
> > around nosily.
> > I am not worried about them right clicking on objects the OU they are
> > assigned, but I need to force them to stay in that OU.
> >
>
> Are you sure you followed each step? The steps and settings I outlined are
> designed to remove the View option in the menu. You may have missed a step.
> Possibly this step?
> View/Customize
> Uncheck everything but Console Tree.
>
> Otherwise, when I saved it and opened it, I had the ability to right click
> as anyone can in ADUC, and that is based on the ADUC. The MMC instructions
> just minimize and control view, but the ADUC has it's own context, and I'm
> not sure if you can change that in the DLLs.
>
> Here's a link on it. But I gave more details with additional info about the
> DLLs.
> How To Create Custom MMC Snap-in Tools Using Microsoft Management
> http://support.microsoft.com/kb/230263
>
>
> Ace
>
>
>
>

In news:55DA2251-4ED4-4F57-9C8D-89DB0C62F400@microsoft.com,
Mygposts <Mygposts@discussions.microsoft.com>, posted the following:
> Yes, those instructions removed the View option from the top menu,
> but that is not enough because that is not the only place it exists.
> There is another View option when you right click on empty space that
> have the option (View, Advanced Features) that is not removed.
> When the user selects that option, they are automatically moved to
> the root of the forest.
>
> This is the problem that remains unsolved.
>

Sorry to hear that. I do not have a resolution for that. Maybe someone else
can offer some info on this aspect of it.

Ace

any authenticated user can browse the AD

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Mygposts" <Mygposts@discussions.microsoft.com> wrote in message
news:FB9B6751-DC89-45B6-9FD1-AAC714C8ECED@microsoft.com...
> I setup a custom Taskpad for users that had a need to edit description
> fields
> for computer accounts in certain OUs. It seemed fine until I noticed it
> was
> pretty easy to accidently or purposefully break out of their assigned OU
> in
> the Taspad view and end up browsing the entire directory structure. Even
> though I removed most the menus and toolbars, all they have to do is right
> click to get around this.
>
> I also noticed that if any domain user downloads and installs the Active
> Directory Users and Computers tool on their XP machine, they can get view
> the
> entire active directory structure when they have no business doing that.
>
> Is there anyway to block their access to random domain users browsing
> around
> in AD without the restriction causing problems with their needed
> permissions
> for authentication or changing their passwords?