Hide users from displaying in 3rd party application

azureWeirdo 1 Reputation point
2020-09-01T08:31:26.197+00:00

Hi there -

We host several voice servers in our domain - each server hosts a 3rd party voice solution for external customers.

Although this application is configured to see users in the customer's domain perfectly fine, AD users from our domain show up in their user search results.

Here is what I've tried to fix the issue:
Our users OU in AD > Properties > Security - I've added these application servers in here. For each server, I have set Deny to everything, and applying the to all descending objects. So now if I look at the security tab on a random user in our domain, I see the application servers, and Deny is ticked for everything.

But still our ad users show up in the customers voice app.

If anyone has ideas on a way forward here, it would be greatly appreciated.
Thanks

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,524 questions
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Hannah Xiong 6,276 Reputation points
    2020-09-02T03:37:48.243+00:00

    Hello,

    Thank you so much for posting here.

    "Although this application is configured to see users in the customer's domain perfectly fine, AD users from our domain show up in their user search results."

    Sorry that we are not familiar with the third party application. What account will log on to this application? If we do not want this logged account to read the user information, we could try the below from the AD aspect.

    Open the user OU, choose "properties" and then choose "security". Add the logged account or the groups who will log on to the application, and then set Read permission to Deny.

    I am sure whether it works. We could kindly have a check. But as for this configuration, there will be some influences to our AD environment. For example, if the accounts log on to other service or application, they also do not have Read permission to the users within the OU.

    Since it is about the third party application, we could also contact the vendor to check how to solve the issue. Thanks so much for your understanding and support.

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong

    0 comments
  2. azureWeirdo 1 Reputation point
    2020-09-03T21:37:20.48+00:00

    FYI - So the customers are in an external, untrusted domain/forest.

    Digging deeper into this, I believe I know what the issue is:

    Take this scenario - On the Users OU, I explicitly Deny the application server full control (All descending objects)

    When I run the Effective Access for the server's computer object, and select a user (that sits under the above mentioned Users OU) there are a whole heap of read permissions ticked, mostly relating to Exchange attributes. ("Read All Properties" has a tick).

    So even though we are explicitly denying the server Full control on the Users OU, it is inheriting the above from somewhere.

    The only change I've made in the environment recently is extending the AD schema for Exchange 2016 (I did this to get a Hide from GAL attribute for azure ad connect - we don't have Exchange on Premises - I just wanted this one attribute). I'm now thinking this is what is causing this issue.

    Are you able to clarify what permissions/inheritance changes are enforced when the schema is extended for Exchange 2016 please?

    Where is this inheritance coming from?

    Thanks

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.