JSI Tip 9433. How can I manage who can see an object in Active Directory?

To prevent a user from viewing the contents of an OU (Organizational Unit) or container, you can remove the List Contents right from that OU or container. Alternately, you can use the List Object permission to select which objects are viewable by users or groups.

NOTE: Implementing the List Object functionality causes your domain controllers the extra work load of checking every object in a container, instead of only checking the List Contents right on the container.

To enable the List Object functionality:

1. On a domain controller, Start / Run / adsiedit.msc / OK.

2. Expand the CN=Configuration / CN=Services / CN=Windows NT.

3. Right-click CN=Directory Service and press Properties.

4. Double-click the dSHeuristics attribute.

5. If the value is <Not Set>, set it to 001, else change the 3rd character to 1.

6. Press Apply and OK.

7. Close ADSI Edit.

If you don't want a user or group to see the entire contains of a contains, remove a containers List Content permission and add the List Object permission to the container. Then use the List Object property on specific objects in the container to be viewable for specific users or groups.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.