Sign in with
Sign up | Sign in
Your question

How to disable the use of adminpak.msi?

Last response: in Windows 2000/NT
Share
Anonymous
July 9, 2004 3:30:01 AM

Archived from groups: microsoft.public.win2000.security (More info?)

Once a user computer install "adminpak.msi" and joined a domain, And then he logon as domain user and run the "Active Directory Users and Groups" and other AD utilities, he could be able to view the AD contents such as all Servers, all Account Information, all Group Policies, ...?

Other than restrict the users to install the adminpak.msi and use the AD utilties in his computer, how I could set in AD to restrict or disable the users to read the AD contents?

More about : disable adminpak msi

Anonymous
July 9, 2004 9:19:49 AM

Archived from groups: microsoft.public.win2000.security (More info?)

You can always set ACLs on objects that you don't want the user to see in
AD. But be careful as users likely do need to see some level of information
in AD, otherwise applications and services won't work.

--


David B. Cross [MS]

--
This posting is provided "AS IS" with no warranties, and confers no rights.

http://support.microsoft.com

"Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
>
> Once a user computer install "adminpak.msi" and joined a domain, And then
he logon as domain user and run the "Active Directory Users and Groups" and
other AD utilities, he could be able to view the AD contents such as all
Servers, all Account Information, all Group Policies, ...?
>
> Other than restrict the users to install the adminpak.msi and use the AD
utilties in his computer, how I could set in AD to restrict or disable the
users to read the AD contents?
>
>
>
Anonymous
July 9, 2004 6:32:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

A regular user can "see" items in AD but will not be able to do anything such as
modify/create objects with restricted permissions. You can set permissions on AD
objects much like ntfs permissions however if a user does not have access to
some objects, then they will not be able to change their password or have Group
Policy applied to them. I would not restrict access to the domain container,
domain controllers container, or the container/OU where their user account
resides. You could for instance remove all their permissions from an OU that
their account is not in, nor need access to anything in it. There is also a
Group Policy setting under user configuration/administrative
templates/desktop/active directory - hide active directory folder that may help
restrict casual browsing of AD. --- Steve


"Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
>
> Once a user computer install "adminpak.msi" and joined a domain, And then he
logon as domain user and run the "Active Directory Users and Groups" and other
AD utilities, he could be able to view the AD contents such as all Servers, all
Account Information, all Group Policies, ...?
>
> Other than restrict the users to install the adminpak.msi and use the AD
utilties in his computer, how I could set in AD to restrict or disable the users
to read the AD contents?
>
>
>
Related resources
Anonymous
July 9, 2004 10:31:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

If there is a security loophole in AD? If a user know which users belonged to Domain Admins or Administrators, he could try to just hack the password for those Administrators to be able to get full access rights. In addition, he also know whole domain information, such as user personal information, group policies applied to different groups, OUs, which server is domain controllers, ..., etc.

Why a normal domain users could access to AD tree?




"Steven Umbach" wrote:

> A regular user can "see" items in AD but will not be able to do anything such as
> modify/create objects with restricted permissions. You can set permissions on AD
> objects much like ntfs permissions however if a user does not have access to
> some objects, then they will not be able to change their password or have Group
> Policy applied to them. I would not restrict access to the domain container,
> domain controllers container, or the container/OU where their user account
> resides. You could for instance remove all their permissions from an OU that
> their account is not in, nor need access to anything in it. There is also a
> Group Policy setting under user configuration/administrative
> templates/desktop/active directory - hide active directory folder that may help
> restrict casual browsing of AD. --- Steve
>
>
> "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
> news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
> >
> > Once a user computer install "adminpak.msi" and joined a domain, And then he
> logon as domain user and run the "Active Directory Users and Groups" and other
> AD utilities, he could be able to view the AD contents such as all Servers, all
> Account Information, all Group Policies, ...?
> >
> > Other than restrict the users to install the adminpak.msi and use the AD
> utilties in his computer, how I could set in AD to restrict or disable the users
> to read the AD contents?
> >
> >
> >
>
>
>
Anonymous
July 10, 2004 10:49:20 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I don't consider it a security loophole. AD is supposed to be available for users to
find resources which may include who the administrators are. If you don't want
someone to see the administrators in AD then put the admin accounts in their own OU
and do not give users/everyone any permissions to that OU and they will not be able
to see them. Also administrators and all users need to use complex passwords and any
administrator that cares about security would have auditing of account logon events,
logon events, and account management enabled and have an account lockout policy that
has a lockout threshold of no less than ten bad attempts. It would be very obvious
when a user on the lan would be trying to hack an administrators account which would
get that user fired and escorted to the door by security in most businesses. ---
Steve


"Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
news:812A5A7C-2ED1-436E-AAF8-F39720187AB7@microsoft.com...
>
> If there is a security loophole in AD? If a user know which users belonged to
Domain Admins or Administrators, he could try to just hack the password for those
Administrators to be able to get full access rights. In addition, he also know
whole domain information, such as user personal information, group policies applied
to different groups, OUs, which server is domain controllers, ..., etc.
>
> Why a normal domain users could access to AD tree?
>
>
>
>
> "Steven Umbach" wrote:
>
> > A regular user can "see" items in AD but will not be able to do anything such as
> > modify/create objects with restricted permissions. You can set permissions on AD
> > objects much like ntfs permissions however if a user does not have access to
> > some objects, then they will not be able to change their password or have Group
> > Policy applied to them. I would not restrict access to the domain container,
> > domain controllers container, or the container/OU where their user account
> > resides. You could for instance remove all their permissions from an OU that
> > their account is not in, nor need access to anything in it. There is also a
> > Group Policy setting under user configuration/administrative
> > templates/desktop/active directory - hide active directory folder that may help
> > restrict casual browsing of AD. --- Steve
> >
> >
> > "Ivan Tsui" <IvanTsui@discussions.microsoft.com> wrote in message
> > news:A39E5C52-DFC9-41CA-8391-40885F5DE77D@microsoft.com...
> > >
> > > Once a user computer install "adminpak.msi" and joined a domain, And then he
> > logon as domain user and run the "Active Directory Users and Groups" and other
> > AD utilities, he could be able to view the AD contents such as all Servers, all
> > Account Information, all Group Policies, ...?
> > >
> > > Other than restrict the users to install the adminpak.msi and use the AD
> > utilties in his computer, how I could set in AD to restrict or disable the users
> > to read the AD contents?
> > >
> > >
> > >
> >
> >
> >
!