5.1.3.3.6 Checking Object Visibility

msdn link

An object in Active Directory is considered to be "visible" to a requester if the requester can see the name of the object and thus learn of its existence, even if the requester can see no other attributes of the object. The default behavior of Active Directory with respect to making objects visible to a requesting principal is as follows:

  • If a user is granted the RIGHT_DS_LIST_CONTENTS access right on a container, all child objects of that container are visible to the user.

  • Otherwise (if a user is not granted the RIGHT_DS_LIST_CONTENTS access right on a container), no child object of that container is visible to the user. This allows the contents of entire containers to be hidden.

However, Active Directory can optionally be put into a special mode, called the "List Object" mode. Active Directory is put into the "List Object" mode by setting the third character of dSHeuristics (section 6.1.1.2.4.1.2) to the value "1". The mode is disabled by setting the same character to the value "0". The default setting is "0".

In "List Object" mode, a requester is allowed to selectively view specific child objects of a container while other child objects remain hidden. In this mode, an object is visible if the user has been granted the RIGHT_DS_LIST_CONTENTS right on the parent object. If, however, the user does not have that right on the parent, then the object is visible if the user is granted the RIGHT_DS_LIST_OBJECT right on both the object and its parent.

In summary, an object is not visible to a requester if:

  • The object is not the root object of a NC replica, and

  • The requester lacks RIGHT_DS_LIST_CONTENTS right on the object's parent, and

  • "List Object" mode is not set (as described above) or the requester lacks the RIGHT_DS_LIST_OBJECT right on both the object and its parent.