I’m guessing your 3 attributes are top; person and user. (at least they are the default for 2003).

I don’t think that you can go a granular as the attributes of certain schema fields for permissions. AD premissions are designed more towards whether you can see, edit or delete objects rather than attributes. The finest grain permissions can be set in SACL of an object (advanced and then edit) but be careful f you aren’t sure abotu editing this.

Also ‘Ordinary logged on users’ should not be able to see anything in AD or the AD schema. Keep that to admins only. The only thing an ordinary user should be able to do is ref the global address book.

If anyone has any other suggestions i’d be glad to hear them.