AD Group membership exposure

["Custer, William L. Mr." <custerwl () MUOHIO EDU>]

Unlike Novell and and SunOne LDAP, by default Active Directory reveals the to any member of a group, the list of 
constituents of that group.
Thus if you are in a group of Biology majors, you could know the list of all Biology majors.

Modifications can be made to AD default parameters to prevent members of a group from knowing the constituents.  A 
possible risk is that applications may not function without the AD defaults.


1.       Have other institutions modified this default of AD to protect knowledge of group membership?



2.       Would it not be a FERPA violation to reveal information about a student who has opted out of displaying 
his/her directory information?



3.       If one had a group consisting of all attendees of the main campus, would this pose a new risk from a password 
dictionary attack to your campus?   New in the sense that there is no other easy to get the username list.