Possible to hide a custom user class attribute from LDAP queries ?

Z

ZigZag Master

I have a customer who wants to extend the Active Directory schema.....He
would like to add an attribute under the user class called "PIN Number"

Is there a way to hide this custom attribute name/data so normal users can
not do LDAP queries to this.

Any help or links would be appreciated.

Thanks
2984357

-----------------
 
D

David Hou [MSFT]

If it's a new attribute, then it's probably not accessable by default, since
authenticated users usually have read access to only certain property sets
(same for "pre-w2k compatible access" even if you enabled it to include
everyone) and the new attribute shouldn't be associated with any of those
pre-defined prop sets. However, if you've modified DACLs in your AD, then
the only way to ensure that no access to this attribute has been granted for
normal users is to walk through the DACLs on user objects and remove any
ACEs that will allow normal users read access to the new attribute, in case
of inherited ACEs, you need remove them from the parents where the inherited
ACEs are originated. The accesses that you should look for most of time
should be "read/write all properties". Depending on how you organize your AD
and how you apply the permissions, the task can be very tedious...

David
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top