View whole AD with adminpak.msi

Archived from groups: microsoft.public.win2000.security (More info?)

How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?

I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?

It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
3 answers Last reply
More about view adminpak
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    You can't stop people from looking at AD unless you secure AD itself. This can
    be fun because you can quickly break things. The thing is that adminpak is just
    one of many many tools for looking at AD so trying to block those tools, it
    pretty unhelpful if the people truly want to get in. GPOs are especally fun
    because you can simply open the gpo text files in sysvol and look directly at
    them if you want. They have to be readable to the user or else the user can't
    apply them.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Ivan Tsui wrote:
    > How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
    >
    > I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
    >
    > It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Sorry that I don't understand how to "secure AD" itself ...

    "Joe Richards [MVP]" wrote:

    > You can't stop people from looking at AD unless you secure AD itself. This can
    > be fun because you can quickly break things. The thing is that adminpak is just
    > one of many many tools for looking at AD so trying to block those tools, it
    > pretty unhelpful if the people truly want to get in. GPOs are especally fun
    > because you can simply open the gpo text files in sysvol and look directly at
    > them if you want. They have to be readable to the user or else the user can't
    > apply them.
    >
    > --
    > Joe Richards Microsoft MVP Windows Server Directory Services
    > www.joeware.net
    >
    >
    >
    > Ivan Tsui wrote:
    > > How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
    > >
    > > I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
    > >
    > > It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
    > >
    > >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    This is the AD delegation whitepaper and appendix. Read them both in their
    entirety to start.


    http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

    http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    www.joeware.net


    Ivan Tsui wrote:
    > Sorry that I don't understand how to "secure AD" itself ...
    >
    > "Joe Richards [MVP]" wrote:
    >
    >
    >>You can't stop people from looking at AD unless you secure AD itself. This can
    >>be fun because you can quickly break things. The thing is that adminpak is just
    >>one of many many tools for looking at AD so trying to block those tools, it
    >>pretty unhelpful if the people truly want to get in. GPOs are especally fun
    >>because you can simply open the gpo text files in sysvol and look directly at
    >>them if you want. They have to be readable to the user or else the user can't
    >>apply them.
    >>
    >>--
    >>Joe Richards Microsoft MVP Windows Server Directory Services
    >>www.joeware.net
    >>
    >>
    >>
    >>Ivan Tsui wrote:
    >>
    >>>How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
    >>>
    >>>I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
    >>>
    >>>It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
    >>>
    >>>
    >>
Ask a new question

Read More

Active Directory Windows MSI-Microstar