Problem solve Get help with specific problems with your technologies, process and projects.

Can access to the AD 'user object' be blocked?

I have a Windows 2000 domain with 40 clients. Some users create the folders on their local system and give rights to the domain users, which I don't want. Is it possible to block a user/group access to the "user object" of Active Directory so that domain users will not appear in the list when they are assigning rights to a folder?
It's not a good idea to allow local users to "share" folders at all. If they cannot share folders, then the permissions they set locally are not important.

Have you looked into using the Creator Owner group on the folder where users are allowed to create files? In other words, if users are given the right to create a file they become its owner, so you could use this permission to deny them the ability to set permissions.

Are users' administrators on their desktops? If so, they can fix the above and change permissions on folders.

It is possible to set permissions on the domain user object in AD, but I don't think you want to do so. This could have unintended consequences.

In summary, best practices are to not make users administrators and not allow local folders to be shared.

Dig Deeper on Windows 10 security and management

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.