Directory Services

Controlling Object Visibility

The Microsoft® Active Directory® directory service provides the ability to hide objects from users that have been denied certain rights. The hiding of an object means that an application that is running with a user's credentials will not be able to enumerate or bind to the object.

If a user is granted the ADS_RIGHT_ACTRL_DS_LIST access control right on a container, the user can view any of the child objects of the container. Likewise, if a user is denied the ADS_RIGHT_ACTRL_DS_LIST access control right on a container, the user cannot view any of the child objects of the container. This allows the contents of entire containers to be hidden.

Active Directory can also be put into a special list object mode by setting the third character of the dSHeuristics property to '1'. The list object mode can be disabled by setting the third character of the dSHeuristics property to '0'. When Active Directory is in the list object mode, an object will still be visible if the user has been granted the ADS_RIGHT_ACTRL_DS_LIST right on the parent object. If, however, the user has been denied the ADS_RIGHT_ACTRL_DS_LIST right on the parent, specific child objects can still be made visible if the user is granted the ADS_RIGHT_DS_LIST_OBJECT right on both the parent and child objects. The list object mode allows the system administrator to grant or deny access to individual objects for users or groups. The list object mode should be used sparingly because it requires a significantly higher number of access check calls to be made by Active Directory to determine if an object is visible to a user. Thus it can have a negative effect on the performance of browsing or reading objects from Active Directory.