Correct way to Permission attibutes
- From: "Microsoft News Groups" <Please@xxxxxxxxxxxx>
- Date: Fri, 10 Mar 2006 10:25:16 -0500
We have an ADAM database we are setting up that we have created custom user
attibutes for. We have populated users into the directory and we want
anonymous access to most user attibutes. We have accomplish the anonymous
access part by making the correct heuristics change and placing the NT
Authority\Anonymous Logon in the Readers folders. What we would like to do
now is lock down a subset of the attributes so that only administrators or
another group only has view or full control access to these. Meaning we do
not want Anonymous Logon users to see the values in these attibutes. What
is the best way to permission the ACLs so that I can acheive this. I have
used DSACLS to modify the attributes at the Schema level, but that does not
seem to effect the display of those attributes for the users that have been
created. When I check the ACLS of the Users container it has Readers with
General Read. Even a Deny of a particular attribute for Readers at the
schema level does not seem to stop the display of the attribute of a user.
Any thoughts or best practices. Basically what I want is almost global
anonymous access to all user attributes except for a select few that has
more sensitive data in it. This sensitive data will have a higher level
group only access.
thanks
Rob
.
- Follow-Ups:
- Re: Correct way to Permission attibutes
- From: Lee Flight
- Re: Correct way to Permission attibutes
- Prev by Date: Re: Make printer available to computer object in AD
- Next by Date: Re: New employee, same computer -- what to do?
- Previous by thread: R2 Schema Changes
- Next by thread: Re: Correct way to Permission attibutes
- Index(es):
