Enabling List Object Access Mode

Enabling List Object Access Mode


You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means that users will need explicit permissions to see directory listings of containers.


Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value 001. If the attribute has an existing value, make sure the third digit (from the left) is set to 1.

  6. Click OK twice.

Using VBScript
	On Error Resume Next ' necessary if dsHeuristics is not
	                     ' already set

	' This code enables or disables list object mode for a forest.
	boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable
	' ------ END CONFIGURATION --------

	set objRootDSE = GetObject("LDAP://RootDSE")
	set objDS = GetObject( _
	                "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _
	                & objRootDSE.Get("configurationNamingContext") )
	strDSH = objDS.Get("dSHeuristics")
	if len(strDSH) = 1 then
	   strDSH = strDSH & "0"
	end if
	strNewDSH = Left(strDSH,2) & boolEnableListObject
	if len(strDSH) > 3 then
	   strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3)
	end if

	WScript.Echo "Old value: " & strDSH
	WScript.Echo "New value: " & strNewDSH

	if strDSH <> strNewDSH then
	   objDS.Put " 
dSHeuristics", strNewDSH
	   WScript.Echo "Successfully set list object mode to " & _
	   WScript.Echo "List object mode already set to " & boolEnableListObject
	end if


List Object Access mode is useful if you want your users to view only a subset of objects when doing a directory listing of a particular container, or you do not want them to be able to list the objects in a container at all. By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. If you remove or deny this right on a container by modifying the ACL, users will not be able to get a listing of the objects in that container using tools such as ADUC or ADSI Edit.

To limit the objects that users can see when they pull up an object listing, you first need to enable List Object Access mode as described in the solution. You should then remove the List Contents access control right on the target container. Lastly, you'll need to grant the List Object right to the objects that the users or groups should be able to list.

Enabling List Object Access mode can significantly increase the administration overhead for configuring ACLs in Active Directory. It can also impact performance on a domain controller since it will take considerably more time to verify ACLs before returning information to a client.

Using VBScript

While we discussed error handling in Chapter 1, this script actually requires the On Error Resume Next command in order to function. This is because, without this line in place, the script will throw an error if the dsHeuristics attribute is not set.

See Also

MSDN: Controlling Object Visibility and Microsoft's High-Volume Hosting Site at http://www.microsoft.com/serviceproviders/deployment/hvh_ad_deploy.asp

 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows