While being involved with my company’s Hosted Messaging and Collaboration (HMC) implementation I ran into the Active Directory List Object Access Mode, set through the DS-Heuristics attribute. I decided to give you a little rundown of this mode and the other (default) Active Directory Visibility mode, how they’re different, how to enable (and disable) one or the other and what you can do with them in your environments.
Microsoft’s Solution for Hosted Messaging and Collaboration (HMC) is a multitenant environment, that Microsoft partners can use to offer Microsoft Exchange, Microsoft Sharepoint and Microsoft Office Communications Server (OCS) to customers from within a datacenter. The current version is HMC 4.5, offering Exchange 2007 with Service Pack 1, Sharepoint Services 3.0 with Service Pack 1 and Office Communications Server (OCS) 2007.
Hosted Messaging and Collaboration (HMC) can be seen as the partner option to Business Processes Online Services (BPOS), in which Microsoft offers customers access to Exchange Server, Sharepoint Services, Live Meeting Server and (soon) Office Communications Server.1
The DS-Heuristics attribute in Active Directory can be used to make global changes to the behavior of Active Directory and Active Directory controllers throughout the entire Active Directory forest. Settings include the behavior of Ambiguous Name Resolution (ANR) search filters, the capabilities within anonymous LDAP connections, the behavior of the User-Password attribute, the groups protected through AdminSDHolder and of course the visibility mode, the subject of this post.
Active Directory Visibility Modes
Within Hosted Messaging and Collaboration (HMC) a hosting provider uses a single Active Directory domain to deliver security services to multiple customers, which the provider facilitates by creating separate organizational units (OUs) for each client. Since the Service Level Agreement contains a couple of privacy related clauses the hosting provides requires that clients not be able to learn of the existence of other clients. The service provider is required to control the visibility of each customer's OU to users of that customer only. In such scenarios organizations need a way to tightly control visibility.
Active Directory offers two visibility modes:
- List Child Access mode
- List Object Access mode
The first mode is the default Access mode in Active Directory. Changing the visibility mode to List Object Access Mode changes the way security is handled. In the first mode when a user has the List Child permission in Active Directory it can see the child object and every object underneath it. In the second mode the user needs to have explicit List Object permissions on each and any object as well as the List Child permission to view objects.
By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. With List Object Access mode enabled access to other Organization Units (OUs) can be prohibited so users from one company (represented by an OU in the shared Active Directory) can only see users from their own company. To achieve this remove the List Contents access permission on containers of other companies and grant the List Object permission to the objects that the users or groups should be able to list.
Changing the Visibility Mode
To enable List Object Access Mode perform the following steps:
- Log on to a Domain Controller using an account that is a member of the Domain Administrators group.
- On Windows Server 2003 install the Windows Server 2003 Support Tools, available on the Windows Server 2003 Server CD.
- On the taskbar, click Start, point to Run, type MMC, and then press Enter.
- Click File, and then click Add/Remove Snap-in.
- Click Add, select ADSI Edit, and then click Add.
- Click Close, and then click OK.
- In the Select a well known Naming Context drop-down box, select Configuration, and then click OK.
- Expand Adsiedit.
- Expand Configuration.
- Expand CN=Configuration, DC=YourDomainName, DC=YourTLD.
- Expand CN=Services and CN=Windows NT.
- Right-click Directory Service, and then click Properties.
Select the dsHeuristics attribute, and then click Edit.
You can now change the value to your desired mode, by editing the third character of the value.
Visibility Mode Value List Child Access mode (default) 0 List Object Access mode 1
The dsHeuristics value sets a couple of behaviors. By editing the third character of the Directory string you set the Visibility Mode. When the third character is 0 or absent (by default the value for dsHeuristics is 0, and thus the third character is absent) the Visibility Mode is set to List Child Access mode. (default)
When done click OK twice and close the MMC.
Changing the visibility mode of your Active Directory can significantly help blocking access to certain parts of your Active Directory. It’s definitely worth a look in highly secure environments, like multitenant environments.
Download details: HMC 4.5
Active Directory Visibility Modes
Recipe 15.20. Enabling List Object Access Mode
Use Manual Steps to Set Active Directory to List Object Mode
Anonymous LDAP operations to Active Directory are disabled in Windows Server 2003
Understanding AdminSDHolder and Protected Groups
HMC 4.5 and Exchange 2007 SP1 – Part #1 – Overview and Active Directory
Shared hosting with Exchange 2007 (Part 2)
Configuring Virtual Organizations and Address List Segregation in Exchange 2007