V
V
vittmann2021-03-02 16:57:43
Active Directory
vittmann, 2021-03-02 16:57:43

Active Directory, hide objects from Authenticated Users?

Hey!

I have never worked closely with AD, which is why the question of proper security organization arose.
In a bunch of best practice manuals, they recommend, for example, disable the built-in Administrator, instead create another user with the same set of privileges. Moreover, almost never use this super privileged account, but, they say, get yourself several accounts for administration, with different levels of privileges. Ok, that seems like a good idea.

But all Authenticated Users can view all domain objects, including user attributes and calculate who has Domain User privileges there, etc. And just to see the structure of the domain (which very often speaks of the structure of the organization)
I found examples of how to disable this visibility (and, for good, it would be necessary for users not to see anything beyond their OUs) https://windowsnotes.ru/activedirectory/active-dir...
However, here they already offer to edit using ADSIEdit, which is not recommended in most cases. Plus, somewhere I came across mentions that such behavior can lead to problems with the GPO (because users will not see them), xs how true.

How do you solve this issue? Is it a problem at all?

Answer the question

In order to leave comments, you need to log in

2 answer(s)
M
Maxim Grishin, 2021-03-02
@vesper-bot

Authenticated Users are, first of all, exactly authorized users, i.e. if you want to hide something from them, then you assume that you have a legal mole in the network. As for me, it makes sense to hide only the names of privileged accounts (that is, the objects themselves), while leaving access at least for domain computers, otherwise you risk having problems when you have to log in under them to the domain.
Regarding the article - the described change should not break the GPO, since it is advisable not to fix the permissions for them, but to hide only something more or less critical from a security point of view, a la the domain admins group and the like. And hiding the OUs themselves and other users is somewhat illogical, you can break something from the infrastructure in an unobvious way (for example, collecting the Exchange's address book).
The use of ADSIEdit in the article can be justified, but only to the extent indicated, and sometimes less, but this option is specifically described here https://docs.microsoft.com/en-us/openspecs/windows... and it says here that if suddenly there is at least something in the parameter, only one character should be changed - in this case, the third from the left. And this particular change in itself will not break anything.

C
CityCat4, 2021-03-03
@CityCat4

The advice to disable the Administrator user is generally correct. Council not to work with the administrator's rights - too. Get yourself an account like vasyan and work under it, and use something like adm_vasyan for administration tasks. True, this is inconvenient and this rule is usually neglected.
But modifying something in the AD schema in general is fraught with problems. Software, even from M$, can safely assume that something is in some state, in which it is always. If it is not so in you, you will get a completely incomprehensible error or the program simply will not work.
If you need to hide some objects - well, create a separate OU, give the necessary rights, select the rest.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question