Q. We're running a shared Active Directory (AD) in a hosting solution where different organizations share the same AD domain. In our environment, it's important to ensure that only an organization’s authorized administrators can access the AD information and configuration settings of their organization.
For that purpose, we created different AD administrator groups (called Admins_CompanyA, Admins_CompanyB, and so on). How can we make sure that only the authorized administrator group for a given organization can view the content of its organization’s OU (called for example CompanyA, CompanyB, CompanyC)? The organization’s OUs are created underneath a parent OU called UserAccounts.
A. AD has four Read permissions: List Contents, Read All Properties, Read Permissions and List Object. The first three are enabled and visible by default. List Object isn't visible or enabled by default.
The List Contents permission normally lists all immediate child objects. With the List Object permission enabled, AD has the ability to hide objects that are returned by the List Contents function. The List Object permission isn't active or visible in AD's ACL editor until the List Object mode in the forest has been enabled. Once the feature is enabled, a new permission, List Object, will appear in an AD object's ACL Editor.
The concept of the List Object permission is quite simple. Without it, when a user queries a container's contents in AD, AD doesn't evaluate the permissions of any objects underneath the container object (such as an OU). If the user hasn't been granted the List Contents permission on the OU, no child objects are returned to the user from AD. And once the user has been granted the List Contents permission on the OU, AD will return all child objects of that OU to the user—no matter whether or not the user has read permission or is even denied access to the child object.
With List Object mode enabled, administrators can remove or deny the List Contents permission on a parent container and AD will still process the permissions on the child objects of the container to check if the user has been granted the List Object permission on any child object. If so, AD will add the object to the result set. If not, the object will be omitted.
List Object permissions are ideally suited for situations where users aren't supposed to see certain objects in AD at all. They're typically used on OUs to fully remove their visibility for all OU administrators, except for the ones responsible to manage that particular OU. The List Object permission is mostly helpful in outsourcing environments, like the one you refer to in your question.
Within an organization, the List Object permission is often used to hide security-sensitive objects, such as admin accounts, from unauthorized users, mainly to limit the potential for DOS attacks against these accounts.
To enable AD's List Object mode, you must edit a property of the Directory Services object in the configuration container of AD. This will replicate to all other domain controllers in the forest and notify them of the change. It's not possible to activate the mode on a per-domain basis.
You can activate List Object mode by setting the third character of the DSHeuristics property on the Directory Service object to 1. If the DSHeuristics property hasn't been set with other values, set it to 001. (If the first two characters are already set to non-zero values, leave them as they are.) The Directory Service object is located at cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, dc=ForestRootDomain. To set Active Directory to List Object, you can use the ADSIEdit MMC tool.
In your example, you should follow these steps to enable only authorized users (members of the groups Admins_CompanyX) to view their respective OUs (CompanyA, CompanyB, CompanyC) underneath a parent OU called UserAccounts:
1. Remove the default List Contents permission for Authenticated Users from the UserAccounts OU (so that permissions of child objects are evaluated).
2. Remove the default List Object permission for Authenticated Users from all Company OUs to hide visibility of Company OUs themselves. In addition, AD will remove List Contents from the OU to hide the objects within them (so that they're also not returned via an LDAP query).
3. Grant the List Object and List Contents permission for each Admins_CompanyX group on the respective Company OU.
In summary, the most important things to remember when working with the List Object mode in AD are:
- List Object mode can only be enabled for a whole AD forest—it's not possible to enable it per domain.
- To use the List Object permission on child objects, the List Contents permission for Authenticated Users should be removed from the respective parent container. If a user is granted the List Contents permission on a container object, the objects inside will be visible no matter what the underlying List Object permissions of the child objects are.