Active Directory LDAP, Set Custom Security Persmissions on 3 Attributes, not the whole class

20 pts.
Tags:
Active Directory
LDAP
NTFS
Permissions
Schema
Security
Fellow experts, I signed up just a few minutes ago, and hope to become a valuable contributor on this forum, however I need your expertise now... so put on your AD Schema hat... I have an object class "organizationalPerson" and three optional attributes in the class. I went into adsiedit and edited the security of those 3 LDAP attributes (removed authenticated users and added a new security group). The goal is to disallow authenticated users from being able to view the 3 attributes -- but without affecting the security of the object class (as other attributes need to be read, I think). Problem is, even though I set permissions on the 3 attributes in adsiedit.msc, ordinary logged on users can still browse and see the attributes, and their values...   Has anyone seen or know of a solution to this? -this1guy

Software/Hardware used:
2003 Native Active Directory

Answer Wiki

Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Discuss This Question: 1  Reply

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • ErroneousGiant
    I'm just glad you didn't use 'Deny' for Auth users. That would of been a no no. I'm guessing your 3 attributes are top; person and user. (at least they are the default for 2003). I don't think that you can go a granular as the attributes of certain schema fields for permissions. AD premissions are designed more towards whether you can see, edit or delete objects rather than attributes. The finest grain permissions can be set in SACL of an object (advanced and then edit) but be careful f you aren't sure abotu editing this. Also 'Ordinary logged on users' should not be able to see anything in AD or the AD schema. Keep that to admins only. The only thing an ordinary user should be able to do is ref the global address book. If anyone has any other suggestions i'd be glad to hear them.
    3,120 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following