Is their a way to hide AD objects? I have things like test users, etc., that I don't want to show up in searches by the user community.
Dav Banks wrote: > Is their a way to hide AD objects? I have things like test users, etc., that > I don't want to show up in searches by the user community. > > You can't really hide objects in AD. However, if you have all these test objects in a single OU you can change the security for that entire OU (and make sure it changes on all child objects). One possibility (and this would need some testing) is removing the "Authenticated Users" read access. Make sure you add a special group for your test user objects so that they can read the OU. -- Joseph Daigle
Thanks for the suggestion! I had actually tried that but it didn't work. But when you suggested it I went back and checked the memberships of some of the Built-In groups. It turns out that the Pre-Windows 2000 Compatible Access group has Authenticated Users as a member. When I removed the permissions for that group on the object it worked like expected. dav "Joseph Daigle" wrote in message news:OmoULXP1FHA.268@TK2MSFTNGP09.phx.gbl... > Dav Banks wrote: >> Is their a way to hide AD objects? I have things like test users, etc., >> that I don't want to show up in searches by the user community. > > You can't really hide objects in AD. However, if you have all these test > objects in a single OU you can change the security for that entire OU (and > make sure it changes on all child objects). > > One possibility (and this would need some testing) is removing the > "Authenticated Users" read access. Make sure you add a special group for > your test user objects so that they can read the OU. > > -- > Joseph Daigle
Maybe I spoke too soon. At first I thought it was me but I've done it a couple of times now and each time, after 20-30 minutes, windows adds the permissions I just removed. I guess I can't be trusted with my own network! dav "Dav Banks" wrote in message news:%23Dd2swY1FHA.2064@TK2MSFTNGP09.phx.gbl... > Thanks for the suggestion! I had actually tried that but it didn't work. > But when you suggested it I went back and checked the memberships of some > of the Built-In groups. > > It turns out that the Pre-Windows 2000 Compatible Access group has > Authenticated Users as a member. When I removed the permissions for that > group on the object it worked like expected. > > dav > > "Joseph Daigle" wrote in message > news:OmoULXP1FHA.268@TK2MSFTNGP09.phx.gbl... >> Dav Banks wrote: >>> Is their a way to hide AD objects? I have things like test users, etc., >>> that I don't want to show up in searches by the user community. >> >> You can't really hide objects in AD. However, if you have all these test >> objects in a single OU you can change the security for that entire OU >> (and make sure it changes on all child objects). >> >> One possibility (and this would need some testing) is removing the >> "Authenticated Users" read access. Make sure you add a special group for >> your test user objects so that they can read the OU. >> >> -- >> Joseph Daigle > >
Dav Banks wrote: > Maybe I spoke too soon. At first I thought it was me but I've done it a > couple of times now and each time, after 20-30 minutes, windows adds the > permissions I just removed. I guess I can't be trusted with my own network! > > dav > > "Dav Banks" wrote in message > news:%23Dd2swY1FHA.2064@TK2MSFTNGP09.phx.gbl... > >>Thanks for the suggestion! I had actually tried that but it didn't work. >>But when you suggested it I went back and checked the memberships of some >>of the Built-In groups. >> >>It turns out that the Pre-Windows 2000 Compatible Access group has >>Authenticated Users as a member. When I removed the permissions for that >>group on the object it worked like expected. >> >>dav Hmm... that is interesting behavior... I've never actually tried this before. I'm wondering what exactly caused the permsissions to repopulate. Regardless, goodluck figuring it out, and I'll let you know if I come up with anything. -- Joseph Daigle
It seems to only repopulate the permissions on the one account that has administrative privileges - which just happens to be the one I most want to hide. The regular test user seems unaffected. I tried to do it directly from the DC but it does have a Security tab for users in ADUC. I did reset it again using ADSIEdit. I doubt it'll make a difference but I've seen stranger things! dav "Joseph Daigle" wrote in message news:%23WRgdLk1FHA.3180@TK2MSFTNGP14.phx.gbl... > Dav Banks wrote: >> Maybe I spoke too soon. At first I thought it was me but I've done it a >> couple of times now and each time, after 20-30 minutes, windows adds the >> permissions I just removed. I guess I can't be trusted with my own >> network! >> >> dav >> >> "Dav Banks" wrote in message >> news:%23Dd2swY1FHA.2064@TK2MSFTNGP09.phx.gbl... >> >>>Thanks for the suggestion! I had actually tried that but it didn't work. >>>But when you suggested it I went back and checked the memberships of some >>>of the Built-In groups. >>> >>>It turns out that the Pre-Windows 2000 Compatible Access group has >>>Authenticated Users as a member. When I removed the permissions for that >>>group on the object it worked like expected. >>> >>>dav > > Hmm... that is interesting behavior... I've never actually tried this > before. I'm wondering what exactly caused the permsissions to repopulate. > Regardless, goodluck figuring it out, and I'll let you know if I come up > with anything. > > -- > Joseph Daigle
