Site FAQ

Home > IT Answers > Windows Server > Active Directory LDAP, Set Custom Security Persmissions on 3 Attributes, not the whole class

This1guy

20 pts.

Active Directory LDAP, Set Custom Security Persmissions on 3 Attributes, not the whole class

Active Directory, LDAP, NTFS, Permissions, Schema, Security

Fellow experts, I signed up just a few minutes ago, and hope to become a valuable contributor on this forum, however I need your expertise now... so put on your AD Schema hat... I have an object class "organizationalPerson" and three optional attributes in the class. I went into adsiedit and edited the security of those 3 LDAP attributes (removed authenticated users and added a new security group). The goal is to disallow authenticated users from being able to view the 3 attributes -- but without affecting the security of the object class (as other attributes need to be read, I think). Problem is, even though I set permissions on the 3 attributes in adsiedit.msc, ordinary logged on users can still browse and see the attributes, and their values... Has anyone seen or know of a solution to this? -this1guy

Software/Hardware used:
2003 Native Active Directory

ASKED: July 20, 2011 12:41 PM

UPDATED: March 31, 2012 8:48 PM

RELATED QUESTIONS

Answer Wiki:

Last Wiki Answer Submitted: Be the first to answer this question.

All Answer Wiki Contributors: Be the first to answer this question.

To see all answers submitted to the Answer Wiki: View Answer History.

RSS - Discussions Help

Discuss This Question:

_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _

POSTED: Jul 25, 2011 3:27 PM (GMT)

I’m just glad you didn’t use ‘Deny’ for Auth users. That would of been a no no.

I’m guessing your 3 attributes are top; person and user. (at least they are the default for 2003).

I don’t think that you can go a granular as the attributes of certain schema fields for permissions. AD premissions are designed more towards whether you can see, edit or delete objects rather than attributes. The finest grain permissions can be set in SACL of an object (advanced and then edit) but be careful f you aren’t sure abotu editing this.

Also ‘Ordinary logged on users’ should not be able to see anything in AD or the AD schema. Keep that to admins only. The only thing an ordinary user should be able to do is ref the global address book.

If anyone has any other suggestions i’d be glad to hear them.

ErroneousGiant

3,120 pts.

Ask a Question

Browse IT Answers by Topic

>>VIEW ALL TAGS

Community Blog | About Us | Contact Us | FAQ | Terms of Use | DMCA Policy

TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organization's IT projects - with its network of technology-specific Web sites, events and magazines.
All Rights Reserved, Copyright 1999-2013, TechTarget | Read our Privacy Policy
Questions and Answers Index 1 | Questions and Answers Index 2 | IT Topics Index 1 | IT Topics Index 2 | Blogs Index | Blogs Tags