We have a few domain accounts that are used to do LDAP queries for various systems. We don't want these accounts to be able to query all of the OUs in our AD.
- @ domain level we have given Authenticated Users Read access to all OUs.
- Created a Security group that these accounts are members of.
- Granted Security Group Read access to the three OUs where we have Users that they should be able to query.
- Issued Deny Full Control rights to all of the other OUs that contain Users.
One of the systems using an account is our Copiers. A global search of the directory is still pulling up Users that exist within the OUs that have denys configured.
Not sure how this could be happening.
Thoughts?