Restrict users from running DSQuery and DSGet

As a new AD Admin for our Server 2003 domain it's recently been brought to my attention that any authenticated user can run DSQuery and DSGet on any of our Domain member machines. They can even run it from a USB drive. I need to configure Active Directory to restrict DSQuery and DSGet to specific security groups but so far haven't found even a hint of that possibility. Any ideas?


Solution 1:

What are you trying to accomplish with restricting them in this way? Every user in AD needs to have read access to the AD so that it can do look ups and get needed authentication and authorization information.

If you are really just concerned about limiting those two programs (which wouldn't prevent them from using something else that reads info from LDAP) you could prevent the use of these programs through a GPO. (User Configuration -> Admin Templates -> System -> Policy -> Don't run specified Windows Applications).

This really sounds like trying to do security by obscurity ... which is just not worth it.