0

Huhu,

is it possible to disable the search for other Users in an AD? In this picture i am logged in as "normal" User.

Get-ADuser search

Here is a Picture of our AD structure.

AD Structure

So i don't want that a User can find another User in the Users OU by powershell (get-aduser)

is that possible?

I hope you have enough informations to understand my issue.

Regards

Patrick Heller
  • 1
  • 2
  • the default is to make the directory visible to EVERYONE. if you change that, you will likely have strange glitches. you can - apparently - set ACLs on the AD structure ... but i don't know how ... and would be _extremely wary_ of doing so unless there is a _truly dire need_. – Lee_Dailey Apr 17 '20 at 00:08
  • yeah i tried to deny the "read content" for all users in a group but then my logon script didn't worked anymore. – Patrick Heller Apr 17 '20 at 07:56
  • yep, diddling the AD perms is not likely to be a reliable way to do anything other than make new problems. the only time i see it being useful is for things like BitLocker keys that can be auto-stored in AD. those make sense to lock down to a narrow group of accounts. ///// if all you want is to block folks from seeing email addresses ... i would simply lock down the address book access to just what they need. have you ever looked at your enterprise global address book? [*grin*] – Lee_Dailey Apr 17 '20 at 11:00
  • okay this is a good hint. I just got it working by unchecking the "read all properties" from the "authenticated users". Did not recognized any side effects so far. – Patrick Heller Apr 17 '20 at 11:17
  • sorry the "List Contents" not the "read all properties" – Patrick Heller Apr 17 '20 at 11:29
  • glad to know that you got it working as needed .... but i still would not do it short of truly _dire_ need. [*grin*] – Lee_Dailey Apr 17 '20 at 12:07

2 Answers2

1

This is not really a thing in Windows proper. The default in AD is all users read. Secondly, anyone in AD is likely to have an email alias and thus search where they use PowerShell or not by their email alias/SMTP address, and should be for email lookups, so, IMHO, this is a futile use case.

One does not need Get-ADUser to find a user in AD. One has been able to do this since AD has been around and well before PowerShell was ever a thing using older scripting methods with .bat/.cmd/.vbs/WMI/ADSI or .Net directly and that is how it was done before PowerShell was ever a thing.

If you don't what a user using a specific cmdlet/cmdlets, then you need to implement restrictions via 'PowerShell just enough administration (JEA)'

Again, One does not need to use PowerShell to scan and get info from AD, a well documented and used thing, for folks who have PowerShell disabled (or tried to) in their environments.

Example: How Can I Get a List of All the Users in an OU and Its Sub-OUs?

VBScript:

On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand =   CreateObject(“ADODB.Command”)

objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”

Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE

objCommand.CommandText = _
    “SELECT Name FROM ‘LDAP://ou=finance,dc=fabrikam,dc=com’ WHERE objectCategory=’user'”
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Do Until objRecordSet.EOF
    Wscript.Echo objRecordSet.Fields(“Name”).Value
    objRecordSet.MoveNext
Loop

Or

ADDS PowerShell (CMDLET, ADSI & .Net) to Expedite Your Tasks

ADSI:

<#
PowerShell ADSI(Active Directory Services Interface) commands
1. How to find the users property.
#>

$users1 = [ADSI]"LDAP://cn=copy,cn=users,dc=contoso,dc=com"
$users1 | select *

# 2. How to find the Group members for a Group.
$test = [ADSI]"LDAP://CN=test,CN=Users,DC=contoso,DC=com"
$test.Member | 
ForEach-Object {[ADSI]"LDAP://$_"} | 
select samccountname, samaccounttype

# 3. Listing an OU Contents
$ou=[ADSI]"LDAP://ou=tech,dc=contoso,dc=com"
$ou.PSBase.Children
$ou.PSBase.Children | Format-Table sAMAccountName
postanote
  • 15,138
  • 2
  • 14
  • 25
  • thanks for this detailed reply. It helps to understand that my problem is bigger than i thought. I thought i could easily hide users from each other but it seems not. Do you have any ideas how to do that? because those information they get are very sensitive e.g. email adresses. – Patrick Heller Apr 17 '20 at 07:47
  • Yes, just do it in ADDS directly. ADDS offers many options, but outside of email address, phone, office info, and maybe home address, there really should not be other PII in ADDS user objects, and if you have that, it's time to talk with your risk management/policy/security/auditor types to address it. Even with list above, I can get all that from a users Twitter/Facebook/TicTok habits. Just say'in.... ;-} – postanote Apr 17 '20 at 22:19
0

So this worked for me: I just got it working by unchecking the "List Contents" from the "authenticated users" of the "Users" OU and I did not recognized any side effects so far.

Rights of Authenticated Users

And the "normal" User can't see the other users anymore by a query. Tested with powershell: AD-GetUser and CMD "net user"

Query Result

So my problem is solved if there won't be any side effects in the future.

I will let you know.

Cheers

Patrick Heller
  • 1
  • 2
  • Good to know you found this setting. We all love PowerShell here, but I tell folks, don't script if you don't have to. Especially when the core offering, in this case Windows ADDS proper, already provides a solution. – postanote Apr 17 '20 at 22:21