Author Topic: How to set up ACLs against Organizational Units  (Read 1629 times)

Mr. Crux

  • Zen Apprentice
  • *
  • Posts: 4
  • Karma: +2/-0
    • View Profile
How to set up ACLs against Organizational Units
« on: May 22, 2019, 11:02:45 am »
Hello,

I've looked for a solution/answer for several days, but I did not find it (maybe I looked badly ...).

Introductory
Domain: Zentyal 6.0.1 DE (all updates available from the web console are installed)
Client: Windows Server 2016, Server 2012R2, Server 2008

AD Container 1: TEST_OU_01 (OU = TEST_OU_01, DC = zentyal, DC = local)
AD Container 2: TEST_OU_02 (OU = TEST_OU_02, DC = zentyal, DC = local)
AD Group 1: TEST_GROUP_01 (CN = TEST_GROUP_01, OU = TEST_OU_01, DC = zentyal, DC = local)
Members
AD User 1: TEST_USER_01 (non-Admin) (CN = TEST_USER_01, OU = TEST_OU_01, DC = zentyal, DC = local)
AD User 2: TEST_USER_02 (non-Admin) (CN = TEST_USER_02, OU = TEST_OU_01, DC = zentyal, DC = local)

AD Group 2: TEST_GROUP_02 (CN = TEST_GROUP_02, OU = TEST_OU_02, DC = zentyal, DC = local)
Members
AD User 3: TEST_USER_AA (non-Admin) (CN = TEST_USER_AA, OU = TEST_OU_02, DC = zentyal, DC = local)
AD User 4: TEST_USER_BB (non-Admin) (CN = TEST_USER_BB, OU = TEST_OU_02, DC = zentyal, DC = local)

ADSI configuration
TEST_OU_01
- Removed "Everyone" and "Authenticated Users"
- TEST_GROUP_01 Allow (Read), Deny (All other)

TEST_OU_02
- Removed "Everyone" and "Authenticated Users"
- TEST_GROUP_02 Allow (Read), Deny (All other)


When TEST_USER_01 connects to a Client PC and runs "AD Users and Computers", he can't see TEST_OU_02 and it's content.
But when TEST_USER_01 runs cmd and executes the command:
Code: [Select]
net group / domain
User can see all groups (TEST_GROUP_01 and TEST_GROUP_02)

Code: [Select]
net group / domain
User can see all users (TEST_USER_01-02, TEST_USER_AA-BB)


When I performe these actions in a valid MS domain, the user TEST_USER_01 does not have access to the TEST_OU_02 and its content (neither via RSAT, nor net, nor dsquery, etc.).


Desired result
Allow (or deny) certain users access to specific OUs.