TechRepublic|Forums|Windows

Windows

General discussion

  • Creator
    Topic
  • October 18, 2006 at 10:06 am #2249874

    Deny Read Only access to AD

    Locked

    by steve.bouse · about 16 years, 3 months ago

    Has anyone set the Authenticated Users to ‘deny access’ for their entire domain and had any issues. We do not want regular users installed the Windows 2003 Support tools on their Windows XP system..and looking at our Active Directory/Sites and Services/Domains and Trusts. I set a test user to ‘deny access’ and this blocks it..but I figured I would ask before doing this in the production domain. Any help is appreciated!

    Topic is locked This conversation is currently closed to new comments.
  • Creator
    Topic

All Comments

  • Author
    Replies
    • October 18, 2006 at 10:47 am #3222070

      Interesting approach

      by cg it · about 16 years, 3 months ago

      In reply to Deny Read Only access to AD

      I would think that with strickly domain user accounts for domain users, they would be denied installation of anything that you do not want them to have.

      The Authenticated Users group on client computers allows users to log on to trusted domains. Since the sysvol and netlogon folder is a required share, and if you have other domains that users are in that need to log on to your netowrk I would think the deny read only access would prohibit them log on rights . Never tried this so I don’t know.

    • October 18, 2006 at 2:29 pm #3220949

      don’t think it’s a good idea

      by lowlands · about 16 years, 3 months ago

      In reply to Deny Read Only access to AD

      Users need read access to Active Directory, “authenticated users” includes all users in your domain. With deny taking precedence over any other permissions you set, I would think you basicly disallow total access to authentication.

    • July 25, 2007 at 6:38 am #2607956

      I agree…

      by hatfira · about 15 years, 6 months ago

      In reply to Deny Read Only access to AD

      I agree with the other two posters. Denying Read access to the Authenticated Users group would give you a ton of headaches.

      Instead, why not create a policy that denies the installation of the tools, place the Authenticated Users in it, then deny that policy for the users (e.g. domain admins) that need the toolkit installed? That will give you more flexibility without having to modify the basic security model for AD.

      Good luck!

    • December 10, 2007 at 11:12 am #2638020

      How about implicit “Deny”

      by yuemo · about 15 years, 2 months ago

      In reply to Deny Read Only access to AD

      I’d like to do something like the original post. How about just remove “READ” permission from “authenticated users”? This will not have any override issue the other pointed out.

      -Yuemo

  • Author
    Replies
Viewing 3 reply threads