none
Hiding OUs from one another

    Question

  • I am standing up a domain in which several vendors will participate, each having their own OUs. These verndros will have account operator privileges and be able to add computers in their respective OUs, but we don't want any users in one of the vendor OUs to be able to see the other vendor OUs.

    One thought was to use groups (each vendor has a group with an explicit deny on the other vendors' OUs, and only users in these groups can log in). It'd be nicer to do this with GPO, but I don't see a way to do that.

    Thoughts on this?

    Wednesday, March 15, 2017 9:29 PM

All replies

  • Hi

     Check these similar cases,you should perform action on active directory.

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/973e3cc2-739b-4a99-b7c5-1f39cab4fe70/completely-hide-ou-for-users-adou-segregation?forum=winserverDS

    https://social.technet.microsoft.com/Forums/windowsserver/en-US/8acad037-926a-47f7-8e1a-0eece252ae99/allow-users-only-to-authenticate-against-my-ad-and-nothing-else?forum=winserversecurity


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    • Proposed as answer by Todd Heron Thursday, March 16, 2017 1:15 AM
    Wednesday, March 15, 2017 9:58 PM
  • hi,

    this video link will help you but on reverse theory. I mean, the read permission has been deny or the allow permission is unchecked.

    https://www.youtube.com/watch?v=P5oT-TDT3uE


    Aliyani Sabrey http://netoverme.wordpress.com

    Thursday, March 16, 2017 5:17 AM
  • As already mentioned, you can do that with restricting native permissions but it won't be easy.

    There are also 3rd party tools that can restrict what users can have access to. Here's an example that lets you control it with both RBAC and also the web interface through which users interact with AD:

    http://www.adaxes.com/tutorials_DelegatingPermissions_HideADObjectsFromUsers.htm

    http://www.adaxes.com/tutorials_WebInterfaceCustomization_PreventUsersFromViewingTheADStructure.htm

    Thursday, March 16, 2017 12:24 PM