question

JMH-8674 avatar image
0 Votes"
JMH-8674 asked ·

Stop users from seeing other users in AD (AADDC Users OU)

All users synced from Azure AD to AADDS go in a single OU: AADDC Users

I don't want users in this OU to be able to browse/list/find other users in this OU. What is the best way to do this without breaking anything else?

Thanks

azure-ad-domain-services
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

amanpreetsingh-msft avatar image
1 Vote"
amanpreetsingh-msft answered ·

@JMH-8674 By default all domain users have read permission on Active Directory objects. Which means, any user can install RSAT tool and browse/list/find other objects. You can move the users to a separate OU and deny read permission on the AADDC Users OU but that can lead to some problems if those users have any link to a user/group in the users container. E.g. if the user has a manager attribute configured with a user account which is in AADDC Users OU or user is a member of a group present in AADDC Users OU. This is not a very common requirement and if it has to be done, it would require a lot of planning and testing.


Please "Accept as answer" wherever the information provided helps you to help others in the community.

· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JMH-8674 avatar image
0 Votes"
JMH-8674 answered ·

A couple of issues here:

  • I can't move users out of AADDC as I am syncing these users from Azure AD for use of Windows Virtual Desktop, and this is the only OU they can sync to

  • Permissions can't be edited on the AADDC OU (as far as I know)

The main issue I am having is that a 3rd party app is able to browse AD, and I don't want the users to use this functionality and see other (confidential) users in the OU . I don't think there is much that can be done in AD or Group Policy due to the restrictions with AADDC OU, at least from what I have seen so far. So it may just be that we need the 3rd party app updated, so that users cannot browse AD there.




· Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Rexists-6096 avatar image
0 Votes"
Rexists-6096 answered ·

Hi, did you find an answer to your original question?

· 1 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

No, from what I can see I don't think it is possible to block/hide access to the OU "AADDC Users", for users who are in that OU.

I would happy if there was a solution though.

0 Votes 0 · ·