0
votes

We have a few domain accounts that are used to do LDAP queries for various systems. We don't want these accounts to be able to query all of the OUs in our AD.

  • @ domain level we have given Authenticated Users Read access to all OUs.
  • Created a Security group that these accounts are members of.
  • Granted Security Group Read access to the three OUs where we have Users that they should be able to query.
  • Issued Deny Full Control rights to all of the other OUs that contain Users.

One of the systems using an account is our Copiers. A global search of the directory is still pulling up Users that exist within the OUs that have denys configured.

Not sure how this could be happening.

Thoughts?

1

1 Answers

1
votes

It's not enough to have a deny on just the OU the objects are in. The permission needs to be a deny for:

  • List Contents
  • Read All Properties
  • Read Permissions

And it needs to be applied for "This object and all descendant objects" on the OU in question.