Re: ADAM Permission Questions (Hiding the Existence of Objects)

Hello,
This will not solve all of the issues you are asking about, but I may can
help.

Active Directory List Object Mode and Content Object Mode:
http://www.chrisse.se/MAQB.asp?ID=34

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services


No email replies please - reply in the newsgroup
------------------------------------------------
http://www.chrisse.se - Active Directory Resources

"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:A99F9C68-CF09-4A33-BD76-4AC1D9324179@xxxxxxxxxxxxxxxx
I want to restrict access to OUs and attributes in ADAM; specifically, I
want
to hide them in the directory.

I know how to configure restrictions on attributes in the Application
Directory using the searchflag confidentiality bit, but is there a way to
hide an attribute in the schema partition itself? I can restrict access
to
the attribute configuration in the schema partition by placing access
controls on the attribute object itself, but I cannot determine how to
actually hide the existence of the attribute itself (in our environment,
these are application specific attributes which only a bind account for
the
application should be accessing, so we do not want different application
bind
accounts to be able to see these attributes). If attributes can be hidden
this way, will the inability of an account to see an attribute in the
schema
cause problems accessing user objects in the directory, even if those same
accounts are prevented from accessing the values of the attributes by the
confidentiality bit?

Similarly, is there a way to hide specific objects in the directory tree
under a common leaf object without hiding all of them? If we have:

OU1 ---
OUa
OUb
OUc

Is there a way to hide the existence of OUa and OUb from a specific
account
or group without hiding the existence of all of them by placing an access
control on OU1? We want a specific account to be able to see OU1 and OUc
in
the directory tree, without seeing OUa and OUb. If we put the access
control
on OU1, then the account cannot see OUc without changing the base dn to
OU=OUc. If we put the access controls on OUa and OUb, then the account
can
still see that OUa and OUb exist.

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


.

Relevant Pages

  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... Schema has Authenticated ... will the inability of an account to see an attribute in the ... Is there a way to hide the existence of OUa and OUb from a specific ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM Permission Questions (Hiding the Existence of Objects)
    ... Yeah he can try to ACL attribute definitions in the schema but who knows what that would break. ... will the inability of an account to see an attribute in the schema ... Is there a way to hide the existence of OUa and OUb from a specific account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Disable multiple fields based on lookup value of seperate field
    ... well, to start with, i hope by "account lookup field", you mean a combo box ... "other three" controls for FieldOne, FieldTwo, and FieldThree. ... > I have a transactions detail form for entering financial transactions in a ...
    (microsoft.public.access.forms)
  • Re: Requerying combo box in sub sub form
    ... My main form is named Account and the information on this form is brought ... The subform to the Account form is named Risk. ... AssertionSelect combo box that isn't filtering to the specific assertions ... names of the controls and not the names of the underlying objects.) ...
    (microsoft.public.access.formscoding)
  • Re: set values to blank when I open the form
    ... >I have a form which can lookup by account or name. ... After user chose the ... It sounds like you're using bound controls for search ... then clear the form's RecordSource property as ...
    (microsoft.public.access.formscoding)
Loading