No announcement yet.

Need to adjust permissions on attributes in user objects

  • Filter
  • Time
  • Show
Clear All
new posts

  • Need to adjust permissions on attributes in user objects

    I have been given a sticky one and I have very little research time these days. I was hoping that someone can give me a hand.

    As you know an Active Directory user object has different fields and attributes. We want to adjust the permissions on some of these attributes so that only a select group can view them.

    The fields we want to adjust the permissions on are:

    Home Phone (homePhone) - home phone number
    Pager Number (pager) - personal mobile number
    IP Phone (ipPhone) - home email address

    Can someone please assist with this?



  • #2
    Re: Need to adjust permissions on attributes in user objects

    The problem is two-fold:

    First you need to make sure that new objects get created with adjusted permissions. This is done by editing the defaultSecurityDescriptor of the object class that is using the attribute.
    If you open the Schema mmc, locate the object class in question, go to Default Security tab and go to Advanced in the ACL editor, you will see that access to the attributes you are talking about is managed via "Personal Information" Property Set (property set is a collection of attributes. Any given attribute can belong nor more than to one property set).
    In this case, anyone can read those attributes because "Authenticated Users" have read permissions to (see attached screenshot)

    ipPhone - Personal Information Property Set
    pager - Personal Information Property Set
    homePhone - Personal Information Property Set

    You will have to add:
    1) Deny on those 3 attributes for Authenticated Users
    2) Add a new ACE to the ACL that grants the group you want to allow to see those attributes with:
    Allow read to those 3 attributes

    Make sure that does not break Exchange, as in many cases Exchange assumes that it can read an attribute without explicit permissions just because Authenticated Users groups has access to the attribute.
    I am also not sure how this change will influence the GAL. In your place I'd setup a lab and first try things there - setting incorrect permissions can have very unpleasant consequences...

    After defaultSecurityDescriptor is adjusted, create some accounts and check out it's ACL to make sure the changes have caught up.

    After that you will need to adjust the permissions on already created users. This is either not fun - you'll probably have to use something like dsacls.exe to do that.
    With DSACLS you have 2 options:

    1) Use the /S switch which will reset the ACL on the object to defaults configured in Schema
    2) Explicitly add the DENY and ALLOW ACEs (same as mentioned above) if you have custom ACLs on the objects
    Attached Files
    Last edited by guyt; 19th April 2007, 10:19. Reason: added screenshot
    Guy Teverovsky
    "Smith & Wesson - the original point and click interface"