How to stop extracting/viewing users details from AD

There are several tools/script available for extracting all user information from AD. Any domain users can access this information by default.

For an example, using following attached .vbs script, we can dump entire AD users base to a excel file with following fields.

  ADExport Script (1.8 KiB, 561 hits)

SamAccountName
CN
FirstName
LastName
Initials
Descrip
Office
Telephone
Email
WebPage
Addr1
City
State
ZipCode
Title
Department
Company
Manager
Profile
LoginScript
HomeDirectory
HomeDrive
Adspath
LastLogin
Primary
SMTP

I think, it is kind of security risk.

This can be block, you just have to follow few steps:

1. You have to create a security group. Here we create blockinfo group

2. Now you have to restrict List Content and Read All Properties on OU where all users are stored and add the normal users into this group.

3. To test, run the above script again, and you will get no output.

With this you can prevent block any reporting tool/script.. 🙂

• Author
• Recent Posts

Follow me

Saugata

Founder at Internet

I am an IT Professional with 13+ years of experience in Windows, Storage, Backup, AWS and Azure. I love writing scripts using PowerShell. I loved to share my experience with rest of the world via this blog. I love my Echo Dot (3G). I love playing with Raspberry Pi.

Follow me

Latest posts by Saugata (see all)

• Mange SOLIDserver EfficientIP IPAM form PowerShell - June 9, 2022
• S3 Bucket Audit Report using AWS PowerShell Script – Secure your S3 Buckets - June 16, 2020
• Do not trust any public VPN service, Create your own Secure SOCKS5 Proxy for just $5 – Be Free 🙂 - May 11, 2020

This work is licensed under a Creative Commons Attribution-NoDerivatives 4.0 International License.