General discussion

  • Creator
  • #2249874

    Deny Read Only access to AD


    by steve.bouse ·

    Has anyone set the Authenticated Users to ‘deny access’ for their entire domain and had any issues. We do not want regular users installed the Windows 2003 Support tools on their Windows XP system..and looking at our Active Directory/Sites and Services/Domains and Trusts. I set a test user to ‘deny access’ and this blocks it..but I figured I would ask before doing this in the production domain. Any help is appreciated!

All Comments

  • Author
    • #3222070

      Interesting approach

      by cg it ·

      In reply to Deny Read Only access to AD

      I would think that with strickly domain user accounts for domain users, they would be denied installation of anything that you do not want them to have.

      The Authenticated Users group on client computers allows users to log on to trusted domains. Since the sysvol and netlogon folder is a required share, and if you have other domains that users are in that need to log on to your netowrk I would think the deny read only access would prohibit them log on rights . Never tried this so I don’t know.

    • #3220949

      don’t think it’s a good idea

      by lowlands ·

      In reply to Deny Read Only access to AD

      Users need read access to Active Directory, “authenticated users” includes all users in your domain. With deny taking precedence over any other permissions you set, I would think you basicly disallow total access to authentication.

    • #2607956

      I agree…

      by hatfira ·

      In reply to Deny Read Only access to AD

      I agree with the other two posters. Denying Read access to the Authenticated Users group would give you a ton of headaches.

      Instead, why not create a policy that denies the installation of the tools, place the Authenticated Users in it, then deny that policy for the users (e.g. domain admins) that need the toolkit installed? That will give you more flexibility without having to modify the basic security model for AD.

      Good luck!

    • #2638020

      How about implicit “Deny”

      by yuemo ·

      In reply to Deny Read Only access to AD

      I’d like to do something like the original post. How about just remove “READ” permission from “authenticated users”? This will not have any override issue the other pointed out.


Viewing 3 reply threads