Re: restrict access to AD:USER properties for a particular set of

Ok, I thought applying that kind of change to the OU level might cause
problems with all my users accounts in that group. if i am reading the
advanced security tab correctly it appears that the child user objects
inherit their permissions from the parent. I was fearing that changes to the
OU permissions would push down and replace all permissions on all child
object like it has the option to do in the NTFS File system.

Thank you very much for you assistance with this.

James

"Tim Hines [MSFT]" wrote:

You dont have to do it on all user accounts if you define the permissions
at the OU level. The settings that you define at the OU permission level
will apply to the new objects created in the OU or existing objects because
they will inherit the settings. If I want to prevent Jane Doe from seeing a
users adress in the marketing OU. I would select the OU properties and go
to advanced security settings, selct add, select Jane Doe and then ther
permission box will pop up. Select the properties tab and you will see an
apply onto box. You can choose user accounts, click deny for read address.


--
--
Tim Hines, MCSE, MCSA
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.





"James1234" <James1234@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:086B5D0A-461F-47AD-A724-11404FE7E196@xxxxxxxxxxxxxxxx
Thanks for the reply Tim,

in this case maybe i am not understanding something. Jane Doe is the user
i
want to restrict from seeing every other accounts properties. so do I
need
to go through all my accounts and restrict jane doe from seeing each users
properties? Or does placing a specific deny properties statement for each
user(or security group) in my organization in jane doe's security tab
restrict her from seeing those other users properties.

my understanding was that the security tab for a particular user was
basically defining what/who can see that particular users properties/info.


I do appreciate your time on helping me with this!

James

"Tim Hines [MSFT]" wrote:

You can edit the permissions on the attributes to prevent the users from
seeing them. In AD users and computers, right click the user, select
properties, select security, click advanced, click add or you can edit a
current account, click the properties tab and you will see all of the
properties that you can allow or deny.


--
--
Tim Hines, MCSE, MCSA
=====================================================
When responding to posts, please "Reply to Group" via
your newsreader so that others may learn and benefit
from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no
rights.



"James1234" <James1234@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:65E36F43-D143-492D-8E88-F88A87599F21@xxxxxxxxxxxxxxxx
I am trying to find a way to prevent an authenticated user or exchange
user
from seeing certain user properties that are present in the AD.

An example of what i am trying to accomplish is that I want to keep
Jane
Doe
from accessing the address field of all other domain users. Jane Doe
currently can get this information easily from her outlook via
exchange
and
the Global address List and adding the person she wants to get the
address
to
her contacts. it then does (i believe) an LDAP query to the AD and
pulls
that information over to her outlook client.

My work has a senerio where we want to provide an exchange mailbox for
a
user but we do not want that user to be able to pull any information
from
AD
that we believe that user does not need. I have tried using details
filter
in exchange but that filter is bypassed if they right click on a user
from
the Global Address List and chooses "save as contact".

Any help or thoughts on this would be appreciated,

James






.

Relevant Pages
Loading