tight control of ADS object modifications

[Brandon McCombs]

Hello,

We have a group of users who will need to be able to modify Contact
objects in ADS, sometimes on a daily basis. We are storing information
for external people who we send faxes to. With the external "user" base
being very big, changes to the data could happen daily. We obviously
don't want to give this small group (about 10) access to the whole
directory structure and I know I can change ACLs so that they can only
edit the part of the DIT that contains the Contacts but is there any way
to prevent these users from being able to even see how the directory is
laid out (you know that once they get this new feature they will want to
explore)? I'm planning on using ADUC snapin as a way to allow the users
to modify the data fields they will need to get to but of course with
ADUC they can see the directory structure as well.

The alternative to ADUC that I had was a perl script. Another guy had
made a perl script in the past that would allow another small group of
users(helpdesk) to only be able to reset passwords (just a small window
popped up, asking for a username then a new password) and I thought
about having a perl script work in this case to allow this other group
to modify the Contact information but a directory search would have to
be performed first ( I think) and a GUI would need to be created to
allow only the fields they need to see to be presented to them.

Any ideas on which idea is best, and how I can prevent people from being
able to see the whole DIT if I go with the ADUC option?

thanks

 

[Jorge_de_Almeida_Pinto]

Hello,

We have a group of users who will need to be able to modify
Contact
objects in ADS, sometimes on a daily basis. We are storing
information
for external people who we send faxes to. With the external
"user" base
being very big, changes to the data could happen daily. We
obviously
don't want to give this small group (about 10) access to the
whole
directory structure and I know I can change ACLs so that they
can only
edit the part of the DIT that contains the Contacts but is
there any way
to prevent these users from being able to even see how the
directory is
laid out (you know that once they get this new feature they
will want to
explore)? I'm planning on using ADUC snapin as a way to allow
the users
to modify the data fields they will need to get to but of
course with
ADUC they can see the directory structure as well.

The alternative to ADUC that I had was a perl script. Another
guy had
made a perl script in the past that would allow another small
group of
users(helpdesk) to only be able to reset passwords (just a
small window
popped up, asking for a username then a new password) and I
thought
about having a perl script work in this case to allow this
other group
to modify the Contact information but a directory search would
have to
be performed first ( I think) and a GUI would need to be
created to
allow only the fields they need to see to be presented to
them.

Any ideas on which idea is best, and how I can prevent people
from being
able to see the whole DIT if I go with the ADUC option?

thanks

Create a custom taskpad that targets the specific OU with the
contacts!

See:
http://redmondmag.com/columns/article.asp?EditorialsID=770
http://www.zdnetasia.com/insight/network/0,39044847,39223589,00.htm

 

[Brandon McCombs]

This is awesome Jorge. Thanks

Create a custom taskpad that targets the specific OU with the
contacts!

See:
http://redmondmag.com/columns/article.asp?EditorialsID=770
http://www.zdnetasia.com/insight/network/0,39044847,39223589,00.htm

--
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Active...l-ADS-object-modifications-ftopict406316.html
Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1348457