Re: Hiding Telephone number from AD search

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Fri, 20 May 2005 15:01:17 -0400

This is actually a bit of work to do this. Not only do normal users have the ability to see their telephone number, they have the ability to change it. It is a member of the personal information property set and that permission is granted explicitely on every user object created so inherited ACEs (permissions placed on the OU or domain structures) will not correct this.

Personally, I like the idea of stripping confidential information out of AD and placing it into an AD/AM directory since AD/AM is far more locked down by default.

You could also look at the new confidentiality support in Windows Server 2003 SP1 AD. It allows you to mark an attribute as confidential and then additional rights will have to be delegated to allow anyone to view the attribute. The documentation on this functionality is sparse at best at the moment though since SP1 just came out.

Finally, you can do something very severe such as modifying the Personal Information property set to remove the telephoneNumber attribute as one of the included attributes and then grant permissions to those who should see the attribute.

I wouldn't consider any of the solutions trivial unfortunately, but the easiest least likely mechanism to break AD or apps using AD in any way is to use AD/AM.


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

Dave Clark wrote:

How can you hide the telephone number from and AD search? Say an XP user goes to Start -> Search -> For People and selects to search against AD, how can I have it NOT show the telephone number? How to only allow 1 user to see telephone numbers? Upper management wants users to not be able to get phone numbers from AD but wants the HR people to be able to. How can this be done?

Thanks

References:
- Hiding Telephone number from AD search
  - From: Dave Clark

Prev by Date: Re: User account that may generate computer accounts
Next by Date: Re: Last Logon Information
Previous by thread: Hiding Telephone number from AD search
Next by thread: 2003 AD Client for Windows NT Member Server
Index(es):
- Date
- Thread

Relevant Pages

Managed By option doesnt let uses manage distribution list
... Is there a better way to allow users just the ability to manage the ... Click the Security tab, ... In the Permissions box, click Allow Read Members, and then click ...
(microsoft.public.exchange2000.admin)
Re: gzip TOCTOU file-permissions vulnerability
... I might suggest configuring your e-mail client not to ... attribute e-mail addresses in replies (at least to mailing lists)... ... > intended permissions, there would be no way to then write the file. ... user ability to write to their own files, ...
(Bugtraq)
Re: policy
... You need to provide permissions to users from the domain\user_name account. ... No power user or local admin group. ... ability not only can't they install programs they can't get infected with ... virus or spyware since they don't have the ability to install software ...
(microsoft.public.windows.server.active_directory)
Re: How to remove "on behalf of" in the from field in outlook
... >> I think that what you are looking for is the ability for users to Send AS ... >> Add a new account to the permissions, by default it will likely grant Full ... >> Ben Winzenz ...
(microsoft.public.exchange.admin)