Stop users from seeing other users in AD (AADDC Users OU)

JMH 1 Reputation point
2020-03-04T07:07:49.03+00:00

All users synced from Azure AD to AADDS go in a single OU: AADDC Users

I don't want users in this OU to be able to browse/list/find other users in this OU. What is the best way to do this without breaking anything else?

Thanks

Microsoft Entra
0 comments No comments
{count} votes

4 answers

Sort by: Most helpful
  1. AmanpreetSingh-MSFT 56,441 Reputation points
    2020-03-04T11:23:12.53+00:00

    @JMH By default all domain users have read permission on Active Directory objects. Which means, any user can install RSAT tool and browse/list/find other objects. You can move the users to a separate OU and deny read permission on the AADDC Users OU but that can lead to some problems if those users have any link to a user/group in the users container. E.g. if the user has a manager attribute configured with a user account which is in AADDC Users OU or user is a member of a group present in AADDC Users OU. This is not a very common requirement and if it has to be done, it would require a lot of planning and testing.

    -----------------------------------------------------------------------------------------------------------

    Please "Accept as answer" wherever the information provided helps you to help others in the community.

    1 person found this answer helpful.
    0 comments No comments

  2. JMH 1 Reputation point
    2020-03-05T06:33:43.48+00:00

    A couple of issues here:

    • I can't move users out of AADDC as I am syncing these users from Azure AD for use of Windows Virtual Desktop, and this is the only OU they can sync to
    • Permissions can't be edited on the AADDC OU (as far as I know)

    The main issue I am having is that a 3rd party app is able to browse AD, and I don't want the users to use this functionality and see other (confidential) users in the OU . I don't think there is much that can be done in AD or Group Policy due to the restrictions with AADDC OU, at least from what I have seen so far. So it may just be that we need the 3rd party app updated, so that users cannot browse AD there.

    0 comments No comments

  3. Rexists 1 Reputation point
    2020-03-31T10:37:31.903+00:00

    Hi, did you find an answer to your original question?


  4. Art Castellanos 1 Reputation point
    2020-12-14T22:15:54.517+00:00

    @JMH
    I'm not sure if this exactly what you are asking to do but take a look at this article from TechNet

    28241.controlling-object-visibility-deny-list-content.aspx

    0 comments No comments