We are running a particular application where the only way to give a user access to it is to make them an AD user.
This application is for our end-user customers, and as such we don't want customers to have access to our entire AD directory. The purpose of this AD user is really just so they can log into the application and we don't want them doing anything more than that.
I created a separate OU and placed a user under it, and experimented with permissions settings on the OU (such as denying List Contents, List Object, and even Read all properties" as special permissions, but the AD user can still see a list of all AD users if they are in a AD login pop-up "Select User or Group" window, and click "Find Now"
I realize this is how AD works by default, but we only want to restrict permissions for very specific users.
I'm still thinking there should be a way to restrict this in the OU security permissions but so far no deny combination I've tested works.
In other research I found this article about a "confidentiality bit":
http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory
But, it also says there that "base schema attributes" cannot be made confidential, and I'm pretty sure 'Name' is a base schema attribute right (?)
So what is a solution if we want to configure things so particular AD users would not be able to enumerate/query/browse the AD directory of users but can still log in to/through AD.
Thanks