March 3, 2011, 1:57 p.m.
posted by trystan
Enabling List Object Access Mode
You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means that users will need explicit permissions to see directory listings of containers.
Using a graphical user interface
On Error Resume Next ' necessary if dsHeuristics is not ' already set ' This code enables or disables list object mode for a forest. ' ------ SCRIPT CONFIGURATION ----- boolEnableListObject = 1 ' e.g. 1 to enable, 0 to disable ' ------ END CONFIGURATION -------- set objRootDSE = GetObject("LDAP://RootDSE") set objDS = GetObject( _ "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _ & objRootDSE.Get("configurationNamingContext") ) strDSH = objDS.Get("dSHeuristics") if len(strDSH) = 1 then strDSH = strDSH & "0" end if strNewDSH = Left(strDSH,2) & boolEnableListObject if len(strDSH) > 3 then strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3) end if WScript.Echo "Old value: " & strDSH WScript.Echo "New value: " & strNewDSH if strDSH <> strNewDSH then objDS.Put " dSHeuristics", strNewDSH objDS.SetInfo WScript.Echo "Successfully set list object mode to " & _ boolEnableListObject else WScript.Echo "List object mode already set to " & boolEnableListObject end if
List Object Access mode is useful if you want your users to view only a subset of objects when doing a directory listing of a particular container, or you do not want them to be able to list the objects in a container at all. By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. If you remove or deny this right on a container by modifying the ACL, users will not be able to get a listing of the objects in that container using tools such as ADUC or ADSI Edit.
To limit the objects that users can see when they pull up an object listing, you first need to enable List Object Access mode as described in the solution. You should then remove the List Contents access control right on the target container. Lastly, you'll need to grant the List Object right to the objects that the users or groups should be able to list.
Enabling List Object Access mode can significantly increase the administration overhead for configuring ACLs in Active Directory. It can also impact performance on a domain controller since it will take considerably more time to verify ACLs before returning information to a client.
While we discussed error handling in Chapter 1, this script actually requires the On Error Resume Next command in order to function. This is because, without this line in place, the script will throw an error if the dsHeuristics attribute is not set.
MSDN: Controlling Object Visibility and Microsoft's High-Volume Hosting Site at http://www.microsoft.com/serviceproviders/deployment/hvh_ad_deploy.asp