Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Cloak and Dagger GPO issue :)

Status
Not open for further replies.
CitizenBleys

CitizenBleys

Programmer
Jul 12, 2003
23
0
0
CA
I'm working on a case study project where the employer is a spy organization. I have to build a high-security forest in which the Information Services department (Read: network administrators) and the Big Three group (the employer; sort of like a board of directors) have full access to every resource in the domain.

The exception to this is that we have to hide the IS department so that the Big Three don't know that we have access to their files ^^

Now, as I understand it, it's possible to use a GPO in order to hide an OU within Active Directory, but I'm unable to find the GPO setting that does this. Can anybody help me out?

(Yes, I've tried denying the Big Three group Read access to the OU--Which works, to a certain extent. The OUs don't show up like folders in Active Directory Users and Computer when I'm logged in as one of the Big Three, but if I click on the domain root in the left pane, there's an IS object in the right pane with the default "I don't know what this is" Windows icon, and if you try to view its properties, every page says access denied. The project's goal, however is that the Big Three shouldn't even be able to find out that we exist in the first place)

The Big Three aren't technical users, so doing stuff like hiding the Security tab is an option--if they don't see it, they won't know it's supposed to be there.

Right now, there's only one domain, but we plan to implement subdomains later, so the network admins are all members of Enterprise Admins, while the Big Three are members of Domain Admins--They won't be able to find us just by looking up group membership, since the Enterprise Admins group is in the to-be-hidden OU.
 
Sort by date Sort by votes
I'm not sure if this is possible, but maybe your looking at it the wrong way. Instead of trying to hide OUs, what if you just deny all read permissions on your IT staff from other groups?

To clarify (just in case), if you edit the security on one of your IT staff and DENY the everyone group and authenticated users group from reading the active directory information on that persons.

Instead of hiding the OUs from the big Three... hide your staff :)



"In space, nobody can hear you click..."
 
Upvote 0 Downvote
Bear in mind that Deny permissions take precedence over Allow, so if I Deny the Everyone group *anything* nobody, including admins, will be able to access it. Which means I won't be able to log in or use my own user account.

Plus, it's not 100% effective--I *have* denied the Big Three read permissions on a number of things in Active Directory Users and Computers, and they still show up in the root of the domain as unidentified child objects...Maybe the OS thinks they're files.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

techbrain1
  • Locked
  • Question
Trust relationship issue 1
Replies
3
Views
127
araheusaff
araheusaff
ADB100
  • Locked
  • Question
Single Windows 7 Ultimate workstation not applying Registry, Drive Map or Printers GPO settings
Replies
1
Views
80
technome
technome
pomazip
  • Locked
  • Question
Windows Server 2019 mac address issue
Replies
2
Views
140
pomazip
pomazip
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
65
RRankin355
RRankin355
on3mansh0w
  • Locked
  • Question
[HELP] AD GPO not applied unexpectedly
Replies
0
Views
64
on3mansh0w
on3mansh0w

Part and Inventory Search

Sponsor

Back
Top