Windows

General discussion

Gravatar
Locked

Deny Read Only access to AD

By steve.bouse ·
Has anyone set the Authenticated Users to 'deny access' for their entire domain and had any issues. We do not want regular users installed the Windows 2003 Support tools on their Windows XP system..and looking at our Active Directory/Sites and Services/Domains and Trusts. I set a test user to 'deny access' and this blocks it..but I figured I would ask before doing this in the production domain. Any help is appreciated!

This conversation is currently closed to new comments.

4 total posts (Page 1 of 1)  
+ Follow this Discussion ·
| Thread display: Collapse - | Expand +

All Comments

gravatar
Collapse -

Interesting approach

by CG IT In reply to Deny Read Only access to ...

I would think that with strickly domain user accounts for domain users, they would be denied installation of anything that you do not want them to have.

The Authenticated Users group on client computers allows users to log on to trusted domains. Since the sysvol and netlogon folder is a required share, and if you have other domains that users are in that need to log on to your netowrk I would think the deny read only access would prohibit them log on rights . Never tried this so I don't know.

gravatar
Collapse -

don't think it's a good idea

by lowlands In reply to Deny Read Only access to ...

Users need read access to Active Directory, "authenticated users" includes all users in your domain. With deny taking precedence over any other permissions you set, I would think you basicly disallow total access to authentication.

gravatar
Collapse -

I agree...

by hatfira In reply to Deny Read Only access to ...

I agree with the other two posters. Denying Read access to the Authenticated Users group would give you a ton of headaches.

Instead, why not create a policy that denies the installation of the tools, place the Authenticated Users in it, then deny that policy for the users (e.g. domain admins) that need the toolkit installed? That will give you more flexibility without having to modify the basic security model for AD.

Good luck!

gravatar
Collapse -

How about implicit "Deny"

by yuemo In reply to Deny Read Only access to ...

I'd like to do something like the original post. How about just remove "READ" permission from "authenticated users"? This will not have any override issue the other pointed out.

-Yuemo

Back to Windows Forum
4 total posts (Page 1 of 1)  

Start or search

Related Discussions

Related Forums