none
Rrestrict Visibility of all Active directory snap ins to all users

    Question

  • Hi All ,

    I want to restrict Visibility of all Active directory snap ins to all users except Domain admins Schema Admins and Enterprise Admins.

    I have seen delegated access but my OUs are split wide . So instead of defining OU based permissions i want to restrict all Sensitive Snap ins of Active Directory through group policies or on MMC level . so that any user who install RSAT tools or any Third party tools he/she cannot have the visibility on the first hand itself. 

    Regards ,

    Meraj

    Wednesday, April 19, 2017 2:13 PM

All replies

  • Any help here is highly appreciated .. I have managed for AD Snap Ins . however third party apps would still have access ..
    Thursday, April 20, 2017 5:51 AM
  • Hi Meraj,
    You could take a look at the following policy setting under User Configuration\Administrative Templates\Windows Components\Microsoft Management Console\ Restricted/Permitted snap-ins 
    You could disable each snap-in which you need, the snap-in is prohibited and cannot be added into the Microsoft Management Console or run from the command line as a standalone console. An error message is displayed stating that policy is prohibiting the use of this snap-in.
    Regarding to snap-in of third party application, as far as I know, there is no such group policy to control it. I would suggest that you could set the permission for the snap-in to restrict user accessing it.
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Thursday, April 20, 2017 7:26 AM
    Moderator
  • Hi Wendy ,

    As i said AD SNAP ins are taken care of already.. There are many third party apps that query active directory and fetch the information through web based consoles or their own API . I believe there should be something that can prevent these apps from contacting the active directory to fetch the information. Something from AD should restrict apps from fetching the data ..

    Regards ,

    Meraj

    Thursday, April 20, 2017 10:06 AM
  • There is no settings as per my understanding that can restrict access to AD. All users by default will have read access to it. Hence the only option will be restricting specific applications using the group policy or any other way. May be software restriction or applocker policy can be tested. Is there any specific reason that you want to restrict read access which is there by default for all domain users? 

    

    Thursday, April 20, 2017 10:17 AM
  • Hi There,

    Yes am aware about the default read permissions, Another thing is that I think I have to work on the read permissions as even when I create a new user with no domain admin rights user has the ability to write , Create objects and delete them. may be i am looking on that part of access rights for now and later focus on specific applications ..

    Regards ,

    Meraj

    Saturday, April 22, 2017 11:09 AM
  • I will apply this and get back ,

    Thanks..

    Sunday, April 23, 2017 5:47 AM
  • mmhh...there should be some group added in the root level of the domain with the delete permission, may be domain users? Have you verified if the permission is only specific to an OU or the complete domain? Once you identify this you can easily remove the specific group permission to avoid domain users getting delete permission.

    Please  mark the comments as Answer if it is helpful..

    Monday, April 24, 2017 7:43 AM
  • It is not specific to OU , all domain users can access all OUs and have modify permissions.

    First thing is any easier way to remove list contents on the root level so that first i restrict list contents to all domain users keeping an exception of domain admins.

    Thursday, May 4, 2017 6:04 AM
  • Okay, it could be that the permission is applied to the Domain Users group in the domain root level. Easiest option could be verify the default permission for Domain users group in a newly promoted test domain and apply the same here.
    Friday, May 5, 2017 9:52 AM
  • Let me check that, 

    One more thing if on delegate permissions i go OU by OU and define deny permission for list contents to everyone and domain users. should this do the trick ?

    Friday, May 5, 2017 9:58 AM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 8, 2017 3:26 AM
    Moderator
  • I don't think it is a good idea to deny permission for everyone, domain users or authenticated users group since it can cause some other issue and also, managing these permissions will be again a challenge. Instead of that find if you have any of these groups with delete permissions applied in the root level and modify the same with default permissions after taking backup to avoid breaking any other functionalities.
    Monday, May 8, 2017 6:57 AM
  • Hi Wendy ,

    I went ahead with blocking the MMC snapins but after some time i could not open the snap ins from the Domain Controller itself. so have to remove the block of snap ins.

    Right now there is no progress. My question still remains

    If i go OU by OU and define deny permission for list contents to everyone group and domain users. should this do the trick ?

    Regards ,

    Meraj

    Thursday, May 25, 2017 8:03 AM
  • Hi Meraj,
    You could have a try, and if you have many OUs, you could use script to find the permission automatically, please refer to:
    https://blogs.technet.microsoft.com/ashleymcglone/2013/03/25/active-directory-ou-permissions-report-free-powershell-script-download/
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 29, 2017 1:54 AM
    Moderator
  • Hi,

    Snap-in block will just stop read access via GUI however, command line tools can still retrieve the object dump. Obviously as mentioned above, this is due to the fact, that Authenticated users Group has default Read Permission to all AD Objects.

    If you are looking at protecting your sensitive ID's or objects from the read Access, I would recommend to define a new OU structure with careful consideration and remove the Inheritance followed by removing all the default Read access to Authenticated users.


    Monday, May 29, 2017 8:18 AM