CitizenBleys
Programmer
I'm working on a case study project where the employer is a spy organization. I have to build a high-security forest in which the Information Services department (Read: network administrators) and the Big Three group (the employer; sort of like a board of directors) have full access to every resource in the domain.
The exception to this is that we have to hide the IS department so that the Big Three don't know that we have access to their files ^^
Now, as I understand it, it's possible to use a GPO in order to hide an OU within Active Directory, but I'm unable to find the GPO setting that does this. Can anybody help me out?
(Yes, I've tried denying the Big Three group Read access to the OU--Which works, to a certain extent. The OUs don't show up like folders in Active Directory Users and Computer when I'm logged in as one of the Big Three, but if I click on the domain root in the left pane, there's an IS object in the right pane with the default "I don't know what this is" Windows icon, and if you try to view its properties, every page says access denied. The project's goal, however is that the Big Three shouldn't even be able to find out that we exist in the first place)
The Big Three aren't technical users, so doing stuff like hiding the Security tab is an option--if they don't see it, they won't know it's supposed to be there.
Right now, there's only one domain, but we plan to implement subdomains later, so the network admins are all members of Enterprise Admins, while the Big Three are members of Domain Admins--They won't be able to find us just by looking up group membership, since the Enterprise Admins group is in the to-be-hidden OU.
The exception to this is that we have to hide the IS department so that the Big Three don't know that we have access to their files ^^
Now, as I understand it, it's possible to use a GPO in order to hide an OU within Active Directory, but I'm unable to find the GPO setting that does this. Can anybody help me out?
(Yes, I've tried denying the Big Three group Read access to the OU--Which works, to a certain extent. The OUs don't show up like folders in Active Directory Users and Computer when I'm logged in as one of the Big Three, but if I click on the domain root in the left pane, there's an IS object in the right pane with the default "I don't know what this is" Windows icon, and if you try to view its properties, every page says access denied. The project's goal, however is that the Big Three shouldn't even be able to find out that we exist in the first place)
The Big Three aren't technical users, so doing stuff like hiding the Security tab is an option--if they don't see it, they won't know it's supposed to be there.
Right now, there's only one domain, but we plan to implement subdomains later, so the network admins are all members of Enterprise Admins, while the Big Three are members of Domain Admins--They won't be able to find us just by looking up group membership, since the Enterprise Admins group is in the to-be-hidden OU.