ADUC - "Hidden" User

[hunterdw]

Howdy.

We have a user in our system that is "hidden" inside the standard ADUC window. I scroll down to the OU where the user is, and he isn't there.

If I right-click at the domain level and "find" - there he is.

If I right-click at the OU level and "find" - there he is too.

When just scrolling through ADUC - he's not there.

When I logon as him, and do a "gpresult" to verify what OU he is in and what GPO he is using, it definitely shows him in the right OU.

How can I view him inside ADUC without having to "find" him every time?

--DW

 

[igmp]

Want to be informed. Tks.

 

[porkchopexpress]

Is it possible that the user was moved but it failed and so the account has ended up in the lost and found container.

 

[porkchopexpress]

Just a guess

The Lost And Found container can be viewed in the Active Directory Users and Computers snap-in when the Advanced View menu option is selected.

 

[hunterdw]

not in Lost & found

however, I actually see the person when I turn on advanced view

but when in "normal" view, the user isn't there

any other ideas?

 

[hunterdw]

Here's the LDAP info...

I have a domain

each of my campuses has an OU

inside each campus OU I create Campus Users and Campus Computers

Inside each of those I put the users and computer (respectively)

When I go to advanced view and look at the Campus Users OU, I see 11 objects.

Normal view, I see 10 objects. He just bloody disappears

The right info shows when logged on as the user using "gpresult" and in ADUC when I see the user, properties, and look at the object tab, I see the right canonical info...

"domain"/SOC Campus/SOC Users/"user"

very strange

 

[hunterdw]

I have this happening with a second user now

--DW

 

[porkchopexpress]

I don't know it this thread will provide any insight but it might be worth a look.


Is it possible to create functional hidden accounts in AD?


Not exactly (at least through the UI). While there is a procedure that will
*almost* allow you to hide an account even from other administrators, the
problem is that there is a little glitch in AD that lets you get around
this.


Here's the procedure (copied and pasted from a post I made to a newsgroup on
this subject):


Create a user.
Name him Jim Bob Billy Joe (okay, name him whatever you want).
Make Jim Bob Billy Joe a member of domain admins.
Create another user.
Name him Jack Schmoe.
Make Jack Schmoe a member of domain admins, as well.
As Jack Schmoe, open ADU&C.
In ADU&C, create an OU called Mine All Mine.
Right-click on the Mine All Mine OU.
Deselect permissions inheritance.
Copy existing permissions when prompted.
Remove all entries from the ACL except System and other computer-related
entries.
Add Jack Schmoe to the ACL.
Give Jack Schmoe full control permissions to the OU.
Add Jim Bob Billy Joe to the ACL.
Deny Jim Bob Billy Joe all permissions to the OU.
Create a new user in the Mine All Mine OU.
Name the user Hidden User (or whatever).
Right-click on Hidden User and bring up the properties of the object.
Perform the same procedures on the user object as you did on the OU
object (although you won't actually have to do much of anything if you
create the user in the Mine All Mine OU in the first place as opposed to
moving the user there from another OU).
Run ADU&C as Jim Bob Billy Joe.
See weird OU named Mine All Mine.
Right-click weird OU and bring up the properties of the OU.
Note results.
Try to move the OU.
Note results.
Try to rename the OU.
Note results.
Try to delete the OU.
Note results.


So, this gives you the ability to "sort of" hide a user, but here's the
glitch:


If you right-click on an object in ADU&C to which you *do* have access,
bring up the properties and select the security tab, you will see the ACL
for that object. Click "Cancel." Then right click the hidden object
mentioned above. Note difference in results.


So, as far as the hidden accounts you've mentioned, I would suspect that
they were programmatically created. Do you have any information about them
other than that you believe they exist due to the error message in the app
you ran?


Thanks,


Laura A. Robinson
Technical Instructor/Consultant
MCT, MCSE, CLI, PCLP

http://archives.neohapsis.com/archives/sf/ms/2001-q3/0021.html

 

[hunterdw]

Laura--

They weren't created programmatically. We don't use any fun scripts or anything. We don't even "copy" users. These were created from scratch by right-cliking, New... User...

There's no "error message" either.

I've noticed them because I've needed to make changes to their group membership and could not find the user unless I turn on advanced features of ADUC or do a "find" at the domain or OU level

--DW

 

[porkchopexpress]

Actually Laura wrote the article i referenced, sorry i didn't make that very clear

 

[hunterdw]

Got it. Found the answer. Actually not me, but someone in another group I'm a part of.

Install the Windows Support Tools (in the SUPPORT\TOOLS folder on your CD)

Run adsiedit.msc

Scroll through your OUs to the affected user, right-click and choose properties

Scroll to the showInAdvancedViewOnly option and check if it's set to TRUE

set it to FALSE

Problem solved

--DW

 

[porkchopexpress]

Nice one any idea how it got set?

 

[hunterdw]

None. That's the Million Dollar question.