Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chris Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Domain Guests can browse AD - why ???

Status
Not open for further replies.
gmail2

gmail2

Programmer
Jun 15, 2005
987
IE
I'm trying to tie down my AD as much as possible to prevent anybody from being able to get a list of employees from AD etc. I have 2 scenarious in which I want to prevent this at the moment:

1. A service account which is used to create an LDAP bind to authenticate our remote dial-up users
2. Vendors who need local admin access to certain servers, but do not need any permissions to browse AD

For the first scenario, I removed the service account from domain users and added to the domain guests account instead. Then I changed the permissions on the Dial Up Users OU so that the service account had read permissions. I assumed that the account would not be able to browse any other OU ... but I was wrong !! The service account can still browse all other OU's in Active Directory. Why ... it's a domain guest ?!?!?!?!

My plan was when I had this working to implement something similar for the second scenario. But now that I've discovered my domain guests can browse AD, that's out the window. Has anybody got any ideas why domain guests can do this? Is it a mis-configuration on my part? Or are the domain guests part of the Authenticated Users group by default?

Thanks in advance for any help

Irish Poetry - Karen O'Connor
Irish Poetry and Short Stories - Doghouse Books
Garten und Landschaftsbau
 
Sort by date Sort by votes
Upvote 0 Downvote
By default, all Authenticated Users have Read access to AD and all of the containers within it. You may be able to restrict your users that were put into the "Domain Guests" group by adding the group to the OUs and setting Deny - Read on the ACL.
I would recommend you create a Test OU and a Test user to verify this works as intended before applying it to your production environment.

Thanks,

Boe
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
444
suncit
suncit
goombawaho
  • Locked
  • Question
Domain join from wifi connected laptop
Replies
4
Views
517
goombawaho
goombawaho
microsGuy16
  • Locked
  • Question
Can not copy files to Mapped drive
Replies
0
Views
316
microsGuy16
microsGuy16
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
169
ADB100
ADB100
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
180
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top