How do we lockdown Authenticated Users access to our Active Directory content?
Hello All,
I would like to know if any of you have tried and succeeded at locking down access for authenticated users to Active Directory content. One of our clients has a need to restrict read access to certain Organizational Units.
They have the standard Active Directory integrated applications (MS Exchange, SQL databases, IIS) etc. running and have a few in-house developed web applications that too rely on access to Active Directory content.
They would like to take away read access for all Authenticated Users except the users and delegated admins of those OUs, but are hesitant to try it because they’re not sure of what all might get impacted (; it being a production domain, its hard to actually try it, and its hard to repro the whole production environment into a test environment.)
If you too have encountered this problem, it would be helpful to hear of how you may have accomplished such a thing, and if there were any things to look out for.
RE: How do we lockdown Authenticated Uses access to our Active Directory content?
Hi CF,
We actually tried this last year, and in fact spent a great deal of time trying to do this, and I have to say that this is unfortunately very difficult. By the way, we tried it because we had a situation where we had some insiders who ran running permission-analysis tools in our environment to try and take over some accounts.
Anyway, it turns out that the reason it is so difficult is that because so many components (apps, services, functions) of both native Microsoft products and applications as well as 3rd party apps rely on the presence of read-access for Authenticated Users, that if you were to try to restrict it even minimally, so many things stop working.
For instance, Exchange is one application that substantially got impacted. In fact Exchange relies heavily on access to Active Directory. If I remember correctly, we also notices some impact on RAS, VPNs, Terminal Services and Network Browsing.
I would highly recommend against trying to do this. If you do try it, please do first try it in a production-like test environment and then only try it in production.
if I may ask, what is your motivation to lock-down Authenticated User access?
