Add attribute to Active Directory

G

Guest

Does anyone know how to add an attribute top an active directory account in
Windows 2000, but make it so other users can not view the attribute?

For example, create a social security number attribute and hide it from
most groups.
 
S

S.J.Haribabu

Hi,

Yep it's possible to create an attribute and hide it from the specified
groups. I did some research and found the following studies.

This high level of control allows an administrator to grant individual
users and groups varying levels of permissions for objects and their
properties. Administrators can even add attributes to objects and hide
those attributes from certain groups of users. For example, the
administrator could set the ACLs such that only managers can view the home
phone numbers of other users. Nonmanagers would not even know that the
attribute existed.

A concept new to Windows 2000 Server is delegated administration. This
allows administrators to assign administrative tasks to other users, while
not granting those users more power than necessary. Delegated
administration can be assigned over specific objects or contiguous subtrees
of a directory

Access controls can hide mandatory attributes too.

Also go thru the article for more information at
http://www.awprofessional.com/articles/article.asp?p=26136&seqNum=4

I hope the above posting would be helpfull for you.

Thanks,
(e-mail address removed)

This posting is provided "AS IS" with no warranties, and confers no rights.
 
R

Ryan Hanisco

Wosully,

If you are talking about adding new attributes that aren't in the directory
you would be extending the schema. I would point out that this, while not
hard to do, should never be done lightly and without forethought.

To be able to do this, you will have to add yourself to the schema
administrators group -- no, neither Domain Admins or Enterprise Admins are
in this by default.

Secondly, I would caution against just adding attributes to the User class.
Instead create a new class (like employee) that inherits from the User base
class and add your attributes to that.
 
G

Guest

Thank you both very much for your help.

I think we will have to extend the schema and I will create a new class,
because I have heard that is the safest thing to do. Any additional tips
would be greatly appreciated. I still will hide the attribute users: it will
be a social security number.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Modifying AD user account GUI 2
Making attributes private in Active Directory 1
Adding a user attribute to WIndows 2000 AD 1
Possible to hide a custom user class attribute from LDAP queries ? 1
Add Attributes to your Active Directory Schema and Manage their Permissions Efficiently 2
Adding Class in Active Directory Schema through LDAP 1
AD Delegation wizard trouble. 3
Creating new schema object 6

Top