How to Modify the Right to Display Users in User Manager

ID: q180782

The information in this article applies to:

Microsoft Windows NT Server versions 3.51, 4.0
Microsoft Windows NT Workstation versions 3.51, 4.0
Microsoft Windows 2000 Server
Microsoft Windows 2000 Professional

BETA INFORMATION BETA INFORMATION BETA INFORMATION

This article discusses a Beta release of a Microsoft product. The information in this article is provided as-is and is subject to change without notice.

No formal product support is available from Microsoft for this Beta product. For information about obtaining support for a Beta release, please see the documentation included with the Beta product files, or check the Web location from which you downloaded the release.

BETA INFORMATION BETA INFORMATION BETA INFORMATION

SUMMARY

When you use the User Manager tool on a computer running Windows NT, domain users or Guest account users may be able to display the list of user accounts and group accounts. This article describes how to use the Listacct.exe tool to modify this behavior.

MORE INFORMATION

This behavior occurs because all Windows NT users are granted the "Domain List Accounts" right by default. This right gives users the necessary permissions to display user and group account names. Domain administrators can use the Listacct.exe tool to grant or deny the right to list domain user accounts. You can obtain the Listacct.exe tool by calling Microsoft Technical Support. The Listacct.exe tool uses the following syntax:

Listacct [-d<Account> | -g<Account>]

-d<Account> denies domain list access to the specified account
-g<Account> grants domain list access to the specified account

A user who is not granted the "Domain List Accounts" right does not see a list of domain users in the User Manager tool. To use the Listacct.exe tool to grant only members of the Domain Administrators and Account Operators groups permission to list user accounts, use the following command:

Listacct "-gDomain Administrators" "-gAccount Operators" "-dEveryone"

NOTE: The domain administrator should run this command on the primary domain controller.

The Listacct.exe tool is designed for Windows NT 3.51 or 4.0. Using the Listacct.exe tool on a computer running Windows 2000 with the Active Directory services installed could lead to unpredictable results and is not supported by Microsoft. On a computer running Windows NT 5.0 using the Active Directory, all users can display user and group names in the Active Directory. To modify this behavior, a domain administrator can use the Directory Management snap-in for the Microsoft Management Console tool to set the "List Contents" right on an object in the Active Directory.

Additional query words: 5.00


Keywords          : kbenv ntsecurity NTSrvWkst 
Version           : WinNT:3.51,4.0;Windows:2000
Platform          : winnt 
Issue type        : kbinfo

Last Reviewed: August 8, 1999