Permissions Inheritance in AD

[meastaugh1]

Hi,

I've created a new OU underneath the domain root. I will store contacts in here that I only want certain users to access. I have therefore removed the Authenticated Users - Read ACE from the OU's ACL. However, when I create/import new contacts into the OU, the contact receives the Authenticated Users - Read entry by default, regardless of the OUs ACL.

Can/should this be changed? As stated above, I want to remove auth users from having read permission, because I don't want some users to address/tel numbers of the contacts. If avoidable, I'd prefer not to have to use Deny permissions for the user's I don't want to access, as it's a bit of a backwards approach to security.

Since I can't change the ACL multiple contacts, I'd need some sort of script to iterate through all contacts in the OU, modifying the ACL of each one.

Any help much appreciated

 

[basst]

If you right-click the OU and select properties.
On the Security tab click the Advanced button and remove the check from "Allow inherited permissions from the parent......"
In the dialogue box that appears you can opt to remove or copy the existing permissions.

You can then set permissions as required without users inheriting access again.

Lower OU's will still inheret so you may need to check permissions are as required on those as well.

 

[meastaugh1]

Hi,

Thanks for your response. I had removed inheritance from the OU and removed Authenicated Users from the OUs ACL, but objects created in the OU still received Authenticated Users regardless.

The authenticated users didn't seem to be inheriting, as the ACE could be removed, and was not greyed out as is usually the case with inherited permissions.