How to disable the use of adminpak.msi?

Archived from groups: microsoft.public.win2000.security (More info?)

Once a user computer install "adminpak.msi" and joined a domain, And then he logon as domain user and run the "Active Directory Users and Groups" and other AD utilities, he could be able to view the AD contents such as all Servers, all Account Information, all Group Policies, ...?

Other than restrict the users to install the adminpak.msi and use the AD utilties in his computer, how I could set in AD to restrict or disable the users to read the AD contents?
4 answers Last reply
More about disable adminpak
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You can always set ACLs on objects that you don't want the user to see in
    AD. But be careful as users likely do need to see some level of information
    in AD, otherwise applications and services won't work.

    --


    David B. Cross [MS]

    --
    This posting is provided "AS IS" with no warranties, and confers no rights.

    http://support.microsoft.com

    "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
    news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
    >
    > Once a user computer install "adminpak.msi" and joined a domain, And then
    he logon as domain user and run the "Active Directory Users and Groups" and
    other AD utilities, he could be able to view the AD contents such as all
    Servers, all Account Information, all Group Policies, ...?
    >
    > Other than restrict the users to install the adminpak.msi and use the AD
    utilties in his computer, how I could set in AD to restrict or disable the
    users to read the AD contents?
    >
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    A regular user can "see" items in AD but will not be able to do anything such as
    modify/create objects with restricted permissions. You can set permissions on AD
    objects much like ntfs permissions however if a user does not have access to
    some objects, then they will not be able to change their password or have Group
    Policy applied to them. I would not restrict access to the domain container,
    domain controllers container, or the container/OU where their user account
    resides. You could for instance remove all their permissions from an OU that
    their account is not in, nor need access to anything in it. There is also a
    Group Policy setting under user configuration/administrative
    templates/desktop/active directory - hide active directory folder that may help
    restrict casual browsing of AD. --- Steve


    "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
    news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
    >
    > Once a user computer install "adminpak.msi" and joined a domain, And then he
    logon as domain user and run the "Active Directory Users and Groups" and other
    AD utilities, he could be able to view the AD contents such as all Servers, all
    Account Information, all Group Policies, ...?
    >
    > Other than restrict the users to install the adminpak.msi and use the AD
    utilties in his computer, how I could set in AD to restrict or disable the users
    to read the AD contents?
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    If there is a security loophole in AD? If a user know which users belonged to Domain Admins or Administrators, he could try to just hack the password for those Administrators to be able to get full access rights. In addition, he also know whole domain information, such as user personal information, group policies applied to different groups, OUs, which server is domain controllers, ..., etc.

    Why a normal domain users could access to AD tree?


    "Steven Umbach" wrote:

    > A regular user can "see" items in AD but will not be able to do anything such as
    > modify/create objects with restricted permissions. You can set permissions on AD
    > objects much like ntfs permissions however if a user does not have access to
    > some objects, then they will not be able to change their password or have Group
    > Policy applied to them. I would not restrict access to the domain container,
    > domain controllers container, or the container/OU where their user account
    > resides. You could for instance remove all their permissions from an OU that
    > their account is not in, nor need access to anything in it. There is also a
    > Group Policy setting under user configuration/administrative
    > templates/desktop/active directory - hide active directory folder that may help
    > restrict casual browsing of AD. --- Steve
    >
    >
    > "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
    > news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
    > >
    > > Once a user computer install "adminpak.msi" and joined a domain, And then he
    > logon as domain user and run the "Active Directory Users and Groups" and other
    > AD utilities, he could be able to view the AD contents such as all Servers, all
    > Account Information, all Group Policies, ...?
    > >
    > > Other than restrict the users to install the adminpak.msi and use the AD
    > utilties in his computer, how I could set in AD to restrict or disable the users
    > to read the AD contents?
    > >
    > >
    > >
    >
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    I don't consider it a security loophole. AD is supposed to be available for users to
    find resources which may include who the administrators are. If you don't want
    someone to see the administrators in AD then put the admin accounts in their own OU
    and do not give users/everyone any permissions to that OU and they will not be able
    to see them. Also administrators and all users need to use complex passwords and any
    administrator that cares about security would have auditing of account logon events,
    logon events, and account management enabled and have an account lockout policy that
    has a lockout threshold of no less than ten bad attempts. It would be very obvious
    when a user on the lan would be trying to hack an administrators account which would
    get that user fired and escorted to the door by security in most businesses. ---
    Steve


    "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
    news:812A5A7C-2ED1-436E-AAF8-F39720187AB7@microsoft.com...
    >
    > If there is a security loophole in AD? If a user know which users belonged to
    Domain Admins or Administrators, he could try to just hack the password for those
    Administrators to be able to get full access rights. In addition, he also know
    whole domain information, such as user personal information, group policies applied
    to different groups, OUs, which server is domain controllers, ..., etc.
    >
    > Why a normal domain users could access to AD tree?
    >
    >
    >
    >
    > "Steven Umbach" wrote:
    >
    > > A regular user can "see" items in AD but will not be able to do anything such as
    > > modify/create objects with restricted permissions. You can set permissions on AD
    > > objects much like ntfs permissions however if a user does not have access to
    > > some objects, then they will not be able to change their password or have Group
    > > Policy applied to them. I would not restrict access to the domain container,
    > > domain controllers container, or the container/OU where their user account
    > > resides. You could for instance remove all their permissions from an OU that
    > > their account is not in, nor need access to anything in it. There is also a
    > > Group Policy setting under user configuration/administrative
    > > templates/desktop/active directory - hide active directory folder that may help
    > > restrict casual browsing of AD. --- Steve
    > >
    > >
    > > "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
    > > news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
    > > >
    > > > Once a user computer install "adminpak.msi" and joined a domain, And then he
    > > logon as domain user and run the "Active Directory Users and Groups" and other
    > > AD utilities, he could be able to view the AD contents such as all Servers, all
    > > Account Information, all Group Policies, ...?
    > > >
    > > > Other than restrict the users to install the adminpak.msi and use the AD
    > > utilties in his computer, how I could set in AD to restrict or disable the users
    > > to read the AD contents?
    > > >
    > > >
    > > >
    > >
    > >
    > >
Ask a new question

Read More

Computers Windows MSI-Microstar