View whole AD with adminpak.msi

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?

I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?

It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

You can't stop people from looking at AD unless you secure AD itself. This can
be fun because you can quickly break things. The thing is that adminpak is just
one of many many tools for looking at AD so trying to block those tools, it
pretty unhelpful if the people truly want to get in. GPOs are especally fun
because you can simply open the gpo text files in sysvol and look directly at
them if you want. They have to be readable to the user or else the user can't
apply them.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net



Ivan Tsui wrote:
> How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
>
> I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
>
> It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Sorry that I don't understand how to "secure AD" itself ...

"Joe Richards [MVP]" wrote:

> You can't stop people from looking at AD unless you secure AD itself. This can
> be fun because you can quickly break things. The thing is that adminpak is just
> one of many many tools for looking at AD so trying to block those tools, it
> pretty unhelpful if the people truly want to get in. GPOs are especally fun
> because you can simply open the gpo text files in sysvol and look directly at
> them if you want. They have to be readable to the user or else the user can't
> apply them.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
>
> Ivan Tsui wrote:
> > How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
> >
> > I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
> >
> > It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
> >
> >
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

This is the AD delegation whitepaper and appendix. Read them both in their
entirety to start.


http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3&DisplayLang=en

http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Ivan Tsui wrote:
> Sorry that I don't understand how to "secure AD" itself ...
>
> "Joe Richards [MVP]" wrote:
>
>
>>You can't stop people from looking at AD unless you secure AD itself. This can
>>be fun because you can quickly break things. The thing is that adminpak is just
>>one of many many tools for looking at AD so trying to block those tools, it
>>pretty unhelpful if the people truly want to get in. GPOs are especally fun
>>because you can simply open the gpo text files in sysvol and look directly at
>>them if you want. They have to be readable to the user or else the user can't
>>apply them.
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>
>>Ivan Tsui wrote:
>>
>>>How I could restrict after a normal domain user installed "adminpak.msi" to his workstation and run "Active Directory Management" to have casual view of all AD contents?
>>>
>>>I have tried to apply Local Group Policy (user configuration/administrative templates/destop/active directory - hide active directory folder) which still not work to restrict this normal users to see AD contents? This normal users could be able to run "Group Policy Management" to check the loopholes on what he could bypass them?
>>>
>>>It is because the AD contents are very sensitive including personal information and also related company policies to special group of people.
>>>
>>>
>>