There are several tools/script available for extracting all user information from AD. Any domain users can access this information by default.
For an example, using following attached .vbs script, we can dump entire AD users base to a excel file with following fields.
ADExport Script (1.8 KiB, 368 hits)
I think, it is kind of security risk.
This can be block, you just have to follow few steps:
1. You have to create a security group. Here we create blockinfo group
2. Now you have to restrict List Content and Read All Properties on OU where all users are stored and add the normal users into this group.
3. To test, run the above script again, and you will get no output.
With this you can prevent block any reporting tool/script.. 🙂
Disclaimer: All posts and opinions on this site are provided AS IS with no warranties. These are my own personal opinions and do not represent my employer’s view in any way.
This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.