Hi,


I have a situation where my company is going to use an application (across dedicated WAN link) located at another companies site. The two companies are joined by a dedicated WAN link that is not Internet facing. When a user in my company access the application (Web based), they will use their existing AD credentials, this application at the other company will perform an LDAP referral/relay to my Active Directory and authenticate...

I dont want the other company to have the ability to query my entire AD, only the OU where the user accounts are located.

Is there any way to restrict access to Active Directory via LDAP to only a specific OU where the user accounts in the OU will be queried?

Thanks

S

• Moved by Amy Wang_Microsoft contingent staff, Moderator Thursday, March 26, 2015 3:24 AM AD related from Windows Security forum

> Yes, add a deny Read permissions access control entry on all other > OUs for the account which is used to perform LDAP query.   Deny Read on OUs is NOT sufficient. You need to either deny read for ALL other objects (including users, groups and so on) or remove authenticated users (and clear out pre w2k compatible access) or enable List Object Mode.   Without List Object Mode, AD allows path traversal and does not check ACLs on parent containers. So if I access an object directly and have read permissions on that object, I can read it - regardless of any "deny read" on the containing OU.  

Hi Martin,

I agree with you, that's why the ACE needs to be configured at the scope "This object and all descendant objects.

Best Regards,