Recipe 14.15 Enabling List Object Access Mode

14.15.1 Problem

You want to prevent any authenticated user from being able to browse the contents of Active Directory by default. Enabling List Object Access mode means users will need explicit permissions to see directory listings of containers.

14.15.2 Solution Using a graphical user interface
  1. Open ADSI Edit.

  2. In the Configuration partition, browse to cn=Services cn=Windows NT cn=Directory Service.

  3. In the left pane, right-click on the Directory Service object and select Properties.

  4. Double-click on the dSHeuristics attribute.

  5. If the attribute is empty, set it with the value: 001. If the attribute has an existing value, make sure the third bit (from the left) is set to 1.

  6. Click OK twice. Using VBScript
' This code enables or disables list object mode for a forest.
boolEnableListObject = 1  ' e.g. 1 to enable, 0 to disable
' ------ END CONFIGURATION ---------

set objRootDSE = GetObject("LDAP://RootDSE")
set objDS = GetObject( _
                "LDAP://cn=Directory Service,cn=Windows NT,cn=Services," _
                & objRootDSE.Get("configurationNamingContext") )
strDSH = objDS.Get("dSHeuristics")
if len(strDSH) = 1 then
   strDSH = strDSH & "0"
end if
strNewDSH = Left(strDSH,2) & boolEnableListObject
if len(strDSH) > 3 then
   strNewDSH = strNewDSH & Right(strDSH, len(strDSH) - 3)
end if

WScript.Echo "Old value: " & strDSH
WScript.Echo "New value: " & strNewDSH

if strDSH <> strNewDSH then
   objDS.Put "dSHeuristics", strNewDSH
   WScript.Echo "Successfully set list object mode to " & _
   WScript.Echo "List object mode already set to " & boolEnableListObject
end if

14.15.3 Discussion

List Object Access mode is useful if you want your users to only view a subset of objects when doing a directory listing of a particular container or you do not want them to be able to list the objects in a container at all. By default, the Authenticated Users group is granted the List Contents access control right over objects in a domain. If you remove or deny this right on a container by modifying the ACL, users will not be able to get a listing of the objects in that container in tools, such as Active Directory Users and Computers or ADSI Edit.

To limit the objects' users can see when they do a listing, you first need to enable List Object Access mode as described in the solution. You should then remove the List Contents access control right on the target container. Lastly, you'll need to grant the List Object right to the objects the users or groups should be able to list.

Enabling List Object Access mode can significantly increase the administration overhead for configuring ACLs in Active Directory.

14.15.4 See Also

MSDN: Controlling Object Visibility and Microsoft's High-Volume Hosting Site at

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List