Wednesday 30 July 2008

Active Directory “List Object Mode”

Active Directory normally has three visible READ permissions; List Contents, Read All Properties and Read Permissions. These permissions cover the majority of Active Directories READing related permissions. There is however a fourth READ permission not enabled by default; List Object.

The List Contents permission would normally list all immediate child objects. With the List Object permission enabled Active Directory has the ability to hide objects returned by the List Contents function.

Why is the useful?

In the shared Active Directory configuration of a multi-tenancy hosting solution, different organizations share the same domain. In this shared hosting environment, it is important to ensure that only authorized users can access the information and configuration settings for a given organization.

To set Active Directory to List Object mode open ADSIEdit.msc. Expand the Configuration container, CN=Services , CN=Windows NT. Right-click Directory Service, and click Properties. Change the dsHeuristics attribute to 001.

No comments: