Sign in with
Sign up | Sign in
Your question

Restrict access to AD over LDAP

Last response: in Windows 2000/NT
Share
Anonymous
March 25, 2005 4:19:08 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi all!

Is there any way to restrict LDAP access to AD (2003)? By default, any
authenticated user can read data in AD using LDAP - is there any way to
restrict users browsing AD using LDAP tools/VBScripts/etc? I can restrict
access tu ADUC MCC snap-in, however LDAP tools still work...

Any suggestion will be appreciated!

Thanx!
--
R.V.

More about : restrict access ldap

Anonymous
March 25, 2005 10:51:10 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

2003 is more suited for your goals.

Check this out.
http://www.petri.co.il/anonymous_ldap_operations_in_win...



--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:38391A6A-D164-4BA2-8708-F7582F5401F1@microsoft.com...
> Hi all!
>
> Is there any way to restrict LDAP access to AD (2003)? By default, any
> authenticated user can read data in AD using LDAP - is there any way to
> restrict users browsing AD using LDAP tools/VBScripts/etc? I can restrict
> access tu ADUC MCC snap-in, however LDAP tools still work...
>
> Any suggestion will be appreciated!
>
> Thanx!
> --
> R.V.
Anonymous
March 25, 2005 10:51:11 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Paul, thanx for your answer! However, I need the "opposite way" - disable
authenticated user to view AD. By default, all authenticated users can read
whole AD - and this is little bit wrong (IMHO) ;-)

Is absolutelly necessary to grant "Authenticated Users" read permission on
qhole AD?

Thanx,
R.V.

"Paul Bergson" wrote:

> 2003 is more suited for your goals.
>
> Check this out.
> http://www.petri.co.il/anonymous_ldap_operations_in_win...
>
>
Related resources
Anonymous
March 25, 2005 11:10:06 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Yes that is where 2003 comes in, it blocks unauthenticated binds. 2000 does
not.

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:1FD15D69-91C6-42A6-9A92-E11F7ED086FC@microsoft.com...
> Paul, thanx for your answer! However, I need the "opposite way" - disable
> authenticated user to view AD. By default, all authenticated users can
read
> whole AD - and this is little bit wrong (IMHO) ;-)
>
> Is absolutelly necessary to grant "Authenticated Users" read permission on
> qhole AD?
>
> Thanx,
> R.V.
>
> "Paul Bergson" wrote:
>
> > 2003 is more suited for your goals.
> >
> > Check this out.
> > http://www.petri.co.il/anonymous_ldap_operations_in_win...
> >
> >
>
Anonymous
March 25, 2005 11:12:56 AM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

How can you authenticate if you can't attach to the AD. You can block
access to individual ou's via permissions. Just go to the ou right click
and permissions, etc...

--

Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.



"Radovan Vojtek" <RadovanVojtek@discussions.microsoft.com> wrote in message
news:1FD15D69-91C6-42A6-9A92-E11F7ED086FC@microsoft.com...
> Paul, thanx for your answer! However, I need the "opposite way" - disable
> authenticated user to view AD. By default, all authenticated users can
read
> whole AD - and this is little bit wrong (IMHO) ;-)
>
> Is absolutelly necessary to grant "Authenticated Users" read permission on
> qhole AD?
>
> Thanx,
> R.V.
>
> "Paul Bergson" wrote:
>
> > 2003 is more suited for your goals.
> >
> > Check this out.
> > http://www.petri.co.il/anonymous_ldap_operations_in_win...
> >
> >
>
!