Remove 'Network' access or 'Search Active Directory' button
Hi,
I am trying to secure several Windows Server 2008 terminal server; although this also applies to Vista.
In the 'Network' window there is a button to 'Search Active Directory'. I want to prevent users from doing this. Ideally I want to completly remove the 'Network' location from the start menu and from explorer. Alternatively I would like to remove the 'Search Active Directory' button from that window.
Could anyone offer me any assistance with this. I have searched in depth in 2k8 group policies by cant find any way of disabling either feature.
Many Thanks,
Ben
Answers
Hello Ben,
Yes, we can only remove the Search button, context menu and Start menu from the Explorer through the Group Policy setting:
[User Configuration--->Administrative Templates--->Windows Components--->Windows Explorer--->Remove Search button from Windows Explorer]
[User Configuration--->Administrative Templates--->Start Menu and taskbar--->Remove Search link from Start Menu]
However, there is no group policy setting that can hide 'Search Active Directory' button. Even though you can hide it, users can still explore and search the AD through LDAP script or 3-rd party tools. So the best practice is to secure the specific OU in the AD database just like you said.
All Replies
- You can remove "Network" from the Start menu by customizing the Start menu and unchecking the checkbox for Network. I have not yet found a way to hide/disable the "Search Active Directory" or to hide/disable "Network in windows explorer. I guess Microsoft does not find any security relevance in these items.
Hi,
Thanks you for the info. I need to prevent users from accessing that seach feature and one way of doing that I thought would be to remove Network all together, since they do not need access to it and cannot browse the network anyway. The problem is I need to remove it from Explorer and not just the start menu. This post relates to my other post you have replied to about restricting TS RemoteApps. The users will (hopefully) not have a full desktop, but will have access to explorer via a remote app for the purpose of coping files over RDP. Currently Network appears in the tree in explorer.
Many Thanks,
Ben
- Hi
It appears that there may not be a way to achieve this. I will have to look at locking down the security on our AD to prevent people seeing items outside of their OU.
Regards,
Ben
Hello Ben,
Yes, we can only remove the Search button, context menu and Start menu from the Explorer through the Group Policy setting:
[User Configuration--->Administrative Templates--->Windows Components--->Windows Explorer--->Remove Search button from Windows Explorer]
[User Configuration--->Administrative Templates--->Start Menu and taskbar--->Remove Search link from Start Menu]
However, there is no group policy setting that can hide 'Search Active Directory' button. Even though you can hide it, users can still explore and search the AD through LDAP script or 3-rd party tools. So the best practice is to secure the specific OU in the AD database just like you said.
Hi,
Thanks for the reply. I only wanted to remove access to 'Search Active Directory' or to the 'Network' window completley. It appears that my only real solution will be to secure our Active Directory tree (which we have already partially done).
Regards,
Ben
- If it's just that you want to prevent the users from finding any Active Directory objects you can use de GPO:
Administrative Templates > Desktop > Active Directory > Maximum size of Active Directory searches and set it to 0.
In that case the search doesn't return any results.
- Anyone know if this will be fixed in 2008 R2?
I am running Windows 2008 TS in hosted environment,
And I don't want to let allow users to browse Active directory to see other customers OU.
viklund
