how to stop giving out account info?

Archived from groups: microsoft.public.win2000.security (More info?)

I was suprised to see that by just using My Network Places -> entire
network -> directory -> then right-clicking on the domain name and choosing
Find I could get so much account information! For instance even though I
renamed my admin account following good practices its easy to see what it is
any whay by searching on 'admin'.. you can see the account plus the
administrators group which you can double-click to see all the members of???
any user can see all the groups and their membership. As well as all OU's
and what objects are in them. I guess since I am used to using the run box
and command prompt so often I have neglected to go see what regular users
may see.

How can I stop this? Although its usefull to be able to search AD like this
if you trust everyone.... nuff said. Trust no one. How do I stop publishing
secure information?

On a funny note: if you are a dope like me and did not know this was a
feature AND you named your OU's with names like 'AuditTheseFools' and
'IDontTrustTheseGuys' in order to link GPO's to them then you will be hoping
your users don't know about this feature either. hehe!

any info would be greatly appreciated.
4 answers Last reply
More about stop giving account info
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    There is a user configuration Group Policy you can implement to hide the
    directory folder. Go to user configuration/administrative
    templates/desktop/Active Directory to enable such. Note that will not stop
    users from searching AD by other means. You can also hide AD objects by
    managing the read permissions in their security properties. However this can
    be tricky. For instance users do need read permissions for the domain
    container, the container their account resides in, and I believe the domain
    controller container. If they do not have read permissions they will not be
    able to change their password and Group Policy user configuration will not
    apply to them. However if you have a container such as an Organizational
    Unit that users are not in, nor need to access anything in it you can remove
    their read permissions from that OU. For instance you could have an OU with
    specific users having permissions to it and then remove authenticated
    users/everyone group permissions. Be sure to have a recent backup of the
    System State for a domain controller before messing with AD permissions just
    in case though dsacls /s can be used to retore default permissions to AD
    objects.. -- Steve

    http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
    syntax.

    "djc" <noone@nowhere.com> wrote in message
    news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
    >I was suprised to see that by just using My Network Places -> entire
    > network -> directory -> then right-clicking on the domain name and
    > choosing
    > Find I could get so much account information! For instance even though I
    > renamed my admin account following good practices its easy to see what it
    > is
    > any whay by searching on 'admin'.. you can see the account plus the
    > administrators group which you can double-click to see all the members
    > of???
    > any user can see all the groups and their membership. As well as all OU's
    > and what objects are in them. I guess since I am used to using the run box
    > and command prompt so often I have neglected to go see what regular users
    > may see.
    >
    > How can I stop this? Although its usefull to be able to search AD like
    > this
    > if you trust everyone.... nuff said. Trust no one. How do I stop
    > publishing
    > secure information?
    >
    > On a funny note: if you are a dope like me and did not know this was a
    > feature AND you named your OU's with names like 'AuditTheseFools' and
    > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
    > hoping
    > your users don't know about this feature either. hehe!
    >
    > any info would be greatly appreciated.
    >
    >
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Thanks Steve. By the way I'm curious. You answer a lot of my posts and are
    obviously very knowledgable.
    1) do you hold any certifications? if so which ones?
    2) Are you paid to participate in these MS newsgroups? meaning, do you work
    for Microsoft directly or indirectly to provide this kind of assistance to
    the general IT public?

    The reason I ask is NOT because I doubt any of the information you give but
    really just becuase I'm curious about different things that knowledgeable IT
    folk can get involved in and what kind of certification, if any, they
    typically have or require. Just poking around and what things I may like to
    become involved in in the future.

    Thanks,
    -djc

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:WDAdd.505554$8_6.377341@attbi_s04...
    > There is a user configuration Group Policy you can implement to hide the
    > directory folder. Go to user configuration/administrative
    > templates/desktop/Active Directory to enable such. Note that will not stop
    > users from searching AD by other means. You can also hide AD objects by
    > managing the read permissions in their security properties. However this
    can
    > be tricky. For instance users do need read permissions for the domain
    > container, the container their account resides in, and I believe the
    domain
    > controller container. If they do not have read permissions they will not
    be
    > able to change their password and Group Policy user configuration will not
    > apply to them. However if you have a container such as an Organizational
    > Unit that users are not in, nor need to access anything in it you can
    remove
    > their read permissions from that OU. For instance you could have an OU
    with
    > specific users having permissions to it and then remove authenticated
    > users/everyone group permissions. Be sure to have a recent backup of the
    > System State for a domain controller before messing with AD permissions
    just
    > in case though dsacls /s can be used to retore default permissions to AD
    > objects.. -- Steve
    >
    > http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
    > syntax.
    >
    > "djc" <noone@nowhere.com> wrote in message
    > news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
    > >I was suprised to see that by just using My Network Places -> entire
    > > network -> directory -> then right-clicking on the domain name and
    > > choosing
    > > Find I could get so much account information! For instance even though I
    > > renamed my admin account following good practices its easy to see what
    it
    > > is
    > > any whay by searching on 'admin'.. you can see the account plus the
    > > administrators group which you can double-click to see all the members
    > > of???
    > > any user can see all the groups and their membership. As well as all
    OU's
    > > and what objects are in them. I guess since I am used to using the run
    box
    > > and command prompt so often I have neglected to go see what regular
    users
    > > may see.
    > >
    > > How can I stop this? Although its usefull to be able to search AD like
    > > this
    > > if you trust everyone.... nuff said. Trust no one. How do I stop
    > > publishing
    > > secure information?
    > >
    > > On a funny note: if you are a dope like me and did not know this was a
    > > feature AND you named your OU's with names like 'AuditTheseFools' and
    > > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
    > > hoping
    > > your users don't know about this feature either. hehe!
    > >
    > > any info would be greatly appreciated.
    > >
    > >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hi Djc.

    Yes I hold some certifications. I am a A+ computer technician, an MCSE in
    Windows NT4.0 and Windows 2000, and a MCSA in Windows 2003.

    I am not paid to participate in newsgroups. I do it for fun, for learning,
    and the satisfaction helping others where I can. My only affiliation with
    Microsoft is that I am an MVP in Windows Security. For more information on
    Microsoft MVP program see the link below.

    http://mvp.support.microsoft.com/

    Certifications are a good way to show that you have a basic level of
    knowledge for a product or technology. To pursue a MCSE you are forced to
    learn and study many aspects of the operating system for wide based
    knowledge of it IF you do it for the purpose of learning it because you have
    want to learn it and be good at it and not to just have the
    ertification. --- Steve


    "djc" <noone@nowhere.com> wrote in message
    news:OPYZuv3tEHA.3156@TK2MSFTNGP12.phx.gbl...
    > Thanks Steve. By the way I'm curious. You answer a lot of my posts and are
    > obviously very knowledgable.
    > 1) do you hold any certifications? if so which ones?
    > 2) Are you paid to participate in these MS newsgroups? meaning, do you
    > work
    > for Microsoft directly or indirectly to provide this kind of assistance to
    > the general IT public?
    >
    > The reason I ask is NOT because I doubt any of the information you give
    > but
    > really just becuase I'm curious about different things that knowledgeable
    > IT
    > folk can get involved in and what kind of certification, if any, they
    > typically have or require. Just poking around and what things I may like
    > to
    > become involved in in the future.
    >
    > Thanks,
    > -djc
    >
    > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > news:WDAdd.505554$8_6.377341@attbi_s04...
    >> There is a user configuration Group Policy you can implement to hide the
    >> directory folder. Go to user configuration/administrative
    >> templates/desktop/Active Directory to enable such. Note that will not
    >> stop
    >> users from searching AD by other means. You can also hide AD objects by
    >> managing the read permissions in their security properties. However this
    > can
    >> be tricky. For instance users do need read permissions for the domain
    >> container, the container their account resides in, and I believe the
    > domain
    >> controller container. If they do not have read permissions they will not
    > be
    >> able to change their password and Group Policy user configuration will
    >> not
    >> apply to them. However if you have a container such as an Organizational
    >> Unit that users are not in, nor need to access anything in it you can
    > remove
    >> their read permissions from that OU. For instance you could have an OU
    > with
    >> specific users having permissions to it and then remove authenticated
    >> users/everyone group permissions. Be sure to have a recent backup of the
    >> System State for a domain controller before messing with AD permissions
    > just
    >> in case though dsacls /s can be used to retore default permissions to AD
    >> objects.. -- Steve
    >>
    >> http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 -- dsacls
    >> syntax.
    >>
    >> "djc" <noone@nowhere.com> wrote in message
    >> news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
    >> >I was suprised to see that by just using My Network Places -> entire
    >> > network -> directory -> then right-clicking on the domain name and
    >> > choosing
    >> > Find I could get so much account information! For instance even though
    >> > I
    >> > renamed my admin account following good practices its easy to see what
    > it
    >> > is
    >> > any whay by searching on 'admin'.. you can see the account plus the
    >> > administrators group which you can double-click to see all the members
    >> > of???
    >> > any user can see all the groups and their membership. As well as all
    > OU's
    >> > and what objects are in them. I guess since I am used to using the run
    > box
    >> > and command prompt so often I have neglected to go see what regular
    > users
    >> > may see.
    >> >
    >> > How can I stop this? Although its usefull to be able to search AD like
    >> > this
    >> > if you trust everyone.... nuff said. Trust no one. How do I stop
    >> > publishing
    >> > secure information?
    >> >
    >> > On a funny note: if you are a dope like me and did not know this was a
    >> > feature AND you named your OU's with names like 'AuditTheseFools' and
    >> > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
    >> > hoping
    >> > your users don't know about this feature either. hehe!
    >> >
    >> > any info would be greatly appreciated.
    >> >
    >> >
    >>
    >>
    >
    >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    ok. Thanks for the info Steve. And thanks for all the help!
    -djc

    "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    news:Nu_dd.284897$MQ5.164061@attbi_s52...
    > Hi Djc.
    >
    > Yes I hold some certifications. I am a A+ computer technician, an MCSE in
    > Windows NT4.0 and Windows 2000, and a MCSA in Windows 2003.
    >
    > I am not paid to participate in newsgroups. I do it for fun, for learning,
    > and the satisfaction helping others where I can. My only affiliation with
    > Microsoft is that I am an MVP in Windows Security. For more information on
    > Microsoft MVP program see the link below.
    >
    > http://mvp.support.microsoft.com/
    >
    > Certifications are a good way to show that you have a basic level of
    > knowledge for a product or technology. To pursue a MCSE you are forced to
    > learn and study many aspects of the operating system for wide based
    > knowledge of it IF you do it for the purpose of learning it because you
    have
    > want to learn it and be good at it and not to just have the
    > ertification. --- Steve
    >
    >
    > "djc" <noone@nowhere.com> wrote in message
    > news:OPYZuv3tEHA.3156@TK2MSFTNGP12.phx.gbl...
    > > Thanks Steve. By the way I'm curious. You answer a lot of my posts and
    are
    > > obviously very knowledgable.
    > > 1) do you hold any certifications? if so which ones?
    > > 2) Are you paid to participate in these MS newsgroups? meaning, do you
    > > work
    > > for Microsoft directly or indirectly to provide this kind of assistance
    to
    > > the general IT public?
    > >
    > > The reason I ask is NOT because I doubt any of the information you give
    > > but
    > > really just becuase I'm curious about different things that
    knowledgeable
    > > IT
    > > folk can get involved in and what kind of certification, if any, they
    > > typically have or require. Just poking around and what things I may like
    > > to
    > > become involved in in the future.
    > >
    > > Thanks,
    > > -djc
    > >
    > > "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
    > > news:WDAdd.505554$8_6.377341@attbi_s04...
    > >> There is a user configuration Group Policy you can implement to hide
    the
    > >> directory folder. Go to user configuration/administrative
    > >> templates/desktop/Active Directory to enable such. Note that will not
    > >> stop
    > >> users from searching AD by other means. You can also hide AD objects by
    > >> managing the read permissions in their security properties. However
    this
    > > can
    > >> be tricky. For instance users do need read permissions for the domain
    > >> container, the container their account resides in, and I believe the
    > > domain
    > >> controller container. If they do not have read permissions they will
    not
    > > be
    > >> able to change their password and Group Policy user configuration will
    > >> not
    > >> apply to them. However if you have a container such as an
    Organizational
    > >> Unit that users are not in, nor need to access anything in it you can
    > > remove
    > >> their read permissions from that OU. For instance you could have an OU
    > > with
    > >> specific users having permissions to it and then remove authenticated
    > >> users/everyone group permissions. Be sure to have a recent backup of
    the
    > >> System State for a domain controller before messing with AD permissions
    > > just
    > >> in case though dsacls /s can be used to retore default permissions to
    AD
    > >> objects.. -- Steve
    > >>
    > >> http://support.microsoft.com/default.aspx?scid=kb;en-us;281146 --
    dsacls
    > >> syntax.
    > >>
    > >> "djc" <noone@nowhere.com> wrote in message
    > >> news:uc4CPautEHA.224@TK2MSFTNGP15.phx.gbl...
    > >> >I was suprised to see that by just using My Network Places -> entire
    > >> > network -> directory -> then right-clicking on the domain name and
    > >> > choosing
    > >> > Find I could get so much account information! For instance even
    though
    > >> > I
    > >> > renamed my admin account following good practices its easy to see
    what
    > > it
    > >> > is
    > >> > any whay by searching on 'admin'.. you can see the account plus the
    > >> > administrators group which you can double-click to see all the
    members
    > >> > of???
    > >> > any user can see all the groups and their membership. As well as all
    > > OU's
    > >> > and what objects are in them. I guess since I am used to using the
    run
    > > box
    > >> > and command prompt so often I have neglected to go see what regular
    > > users
    > >> > may see.
    > >> >
    > >> > How can I stop this? Although its usefull to be able to search AD
    like
    > >> > this
    > >> > if you trust everyone.... nuff said. Trust no one. How do I stop
    > >> > publishing
    > >> > secure information?
    > >> >
    > >> > On a funny note: if you are a dope like me and did not know this was
    a
    > >> > feature AND you named your OU's with names like 'AuditTheseFools' and
    > >> > 'IDontTrustTheseGuys' in order to link GPO's to them then you will be
    > >> > hoping
    > >> > your users don't know about this feature either. hehe!
    > >> >
    > >> > any info would be greatly appreciated.
    > >> >
    > >> >
    > >>
    > >>
    > >
    > >
    >
    >
Ask a new question

Read More

Windows