Attribute Permissions and Property-Sets
- From: "Aaron" <Aaron.Smith@xxxxxxxx>
- Date: 20 Oct 2006 05:41:41 -0700
I had posted to this forum about a similar issue but have ended up with
a need to revisit it. What I'm looking to do is change the permissions
on an active directory attribute so that only certain users can read
it. We'd like to store an employee-id in Active Directory, but don't
really want any old user to be able to just look up other user's
employee-id's. The solution that I *had* implemented (which was
suggested on this forum so thank you) was an ADAM instance that was
locked down to only specific users. That worked great, but a new need
has arisen. It turns out we have a web app where users log in with
their employee ID instead of their username and we'd like this app to
authenticate via Active Directory. If I could put the employee ID's
into AD and have them protected, then this is easily done.
The problem is that if I attempt to remove the Read permissionfor
Authenticated Users from a suitable attribute, such as Employee-ID or
Employee-Number, it wants to create 243 permissions entries which, I
was told, means they are a member of a property set. Is that correct?
I ask because after reading the information on this page:
http://www.lacoude.com/docs/public/Attributes.aspx
It seems that the attribute's attributeSecurityGUID attribute
determine's what Property Set it's in. If I look at both Employee-ID
and Employee-Number in the AD Schema (via adsiedit) I see that niether
of these attributes have this set.
.
- Prev by Date: Re: Very strange ActiveDirectory behaviour when security settings changed
- Next by Date: Re: Questions regarding configuring Windows Server 2003 as a DC
- Previous by thread: Re: Trouble adding printers Just upgraded to Win XP Machines
- Next by thread: Re: Replication issues
- Index(es):
