none
Removing permissions to view objects in an OU to Authenticated Users

    Question

  • Hi,

    On a OU, I removed the ability for Authenticated Users to List Contents. When checking the effective access, it shows that list-content for my test user is denied.

    However if I open an ADUC under the test user, or a powershell command and I do a Get-ADUser on the OU, I am still able to retrieve the user accounts in that OU.

    What am I missing ?

    Best regards,

    Saturday, January 7, 2017 5:03 PM

All replies

  • As added information, if I explicitly DENY the List Content to that test user, then it works.

    Which tells me that in some way, even though the effective access says that List Content is denied (without a DENY rule) the user can actually still list the content for some reason.

    ----

    I have also tried to create a group that contains my test user and then use Deny for the whole group to List Content, then the user still can see the contents.

    ---

    The test user is only a member of Domain Users and that is it.

    • Edited by O.Ragain Saturday, January 7, 2017 6:26 PM
    Saturday, January 7, 2017 5:52 PM
  • Hi,
    Regarding to remove the permission for List Contents, I would suggest you take a look at the following blog for suggested methods which is called List Object Mode:
    Active Directory: Controlling Object Visibility – List Object Mode
    http://social.technet.microsoft.com/wiki/contents/articles/29558.active-directory-controlling-object-visibility-list-object-mode.aspx#Removing_List_Content_amp_List_Object
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, January 10, 2017 3:36 AM
    Moderator
  • I appreciate the answer, but since DENY list content works, I don't think List Object is involved.

    Also, Microsoft support came back to me and told me it is a bug...

    Thursday, January 12, 2017 1:42 PM
  • Hi,

    Appreciate for the share and it will be greatly helpful to others who have the same question.

    Thanks for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, January 16, 2017 3:10 AM
    Moderator