Recipe 14.15 Enabling List Object Access Mode

14.15.1 Problem

You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means users will need explicit permissions to see directory listings of containers.

14.15.2 Solution

14.15.2.1 Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value: 001. If the attribute has an existing value, make sure the third bit (from the left) is set to 1.

  6. Click OK twice.

14.15.2.2 Using VBScript
' This code enables or disables list object mode for a forest. ' ------ SCRIPT CONFIGURATION ------ boolEnableListObject = 1  ' e.g. 1 to enable, 0 to disable ' ------ END CONFIGURATION --------- set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject( _                 "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _                 & objRootDSE.Get("configurationNamingContext") ) strDSH = objDS.Get("dSHeuristics") if len(strDSH) = 1 then    strDSH = strDSH & "0" end if strNewDSH = Left(strDSH,2) & boolEnableListObject if len(strDSH) > 3 then    strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3) end if WScript.Echo "Old value: " & strDSH WScript.Echo "New value: " & strNewDSH if strDSH <> strNewDSH then    objDS.Put "dSHeuristics", strNewDSH    objDS.SetInfo    WScript.Echo "Successfully set list object mode to " & _                 boolEnableListObject else    WScript.Echo "List object mode already set to " & boolEnableListObject end if

14.15.3 Discussion

List Object Access mode is useful if you want your users to only view a subset of objects when doing a directory listing of a particular container or you do not want them to be able to list the objects in a container at all. By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. If you remove or deny this right on a container by modifying the ACL, users will not be able to get a listing of the objects in that container in tools, such as Active Directory Users and Computers or ADSI Edit.

To limit the objects' users can see when they do a listing, you first need to enable List Object Access mode as described in the solution. You should then remove the List Contents access control right on the target container. Lastly, you'll need to grant the List Object right to the objects the users or groups should be able to list.

Enabling List Object Access mode can significantly increase the administration overhead for configuring ACLs in Active Directory.

14.15.4 See Also

MSDN: Controlling Object Visibility and Microsoft's High-Volume Hosting Site at http://www.microsoft.com/serviceproviders/deployment/hvh_ad_deploy.asp



Active Directory Cookbook
Active Directory Cookbook, 3rd Edition
ISBN: 0596521103
EAN: 2147483647
Year: 2006
Pages: 456

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net