B
Brandon McCombs
Hello,
We have a group of users who will need to be able to modify Contact
objects in ADS, sometimes on a daily basis. We are storing information
for external people who we send faxes to. With the external "user" base
being very big, changes to the data could happen daily. We obviously
don't want to give this small group (about 10) access to the whole
directory structure and I know I can change ACLs so that they can only
edit the part of the DIT that contains the Contacts but is there any way
to prevent these users from being able to even see how the directory is
laid out (you know that once they get this new feature they will want to
explore)? I'm planning on using ADUC snapin as a way to allow the users
to modify the data fields they will need to get to but of course with
ADUC they can see the directory structure as well.
The alternative to ADUC that I had was a perl script. Another guy had
made a perl script in the past that would allow another small group of
users(helpdesk) to only be able to reset passwords (just a small window
popped up, asking for a username then a new password) and I thought
about having a perl script work in this case to allow this other group
to modify the Contact information but a directory search would have to
be performed first ( I think) and a GUI would need to be created to
allow only the fields they need to see to be presented to them.
Any ideas on which idea is best, and how I can prevent people from being
able to see the whole DIT if I go with the ADUC option?
thanks
We have a group of users who will need to be able to modify Contact
objects in ADS, sometimes on a daily basis. We are storing information
for external people who we send faxes to. With the external "user" base
being very big, changes to the data could happen daily. We obviously
don't want to give this small group (about 10) access to the whole
directory structure and I know I can change ACLs so that they can only
edit the part of the DIT that contains the Contacts but is there any way
to prevent these users from being able to even see how the directory is
laid out (you know that once they get this new feature they will want to
explore)? I'm planning on using ADUC snapin as a way to allow the users
to modify the data fields they will need to get to but of course with
ADUC they can see the directory structure as well.
The alternative to ADUC that I had was a perl script. Another guy had
made a perl script in the past that would allow another small group of
users(helpdesk) to only be able to reset passwords (just a small window
popped up, asking for a username then a new password) and I thought
about having a perl script work in this case to allow this other group
to modify the Contact information but a directory search would have to
be performed first ( I think) and a GUI would need to be created to
allow only the fields they need to see to be presented to them.
Any ideas on which idea is best, and how I can prevent people from being
able to see the whole DIT if I go with the ADUC option?
thanks