RE: [ActiveDir]

[Flanagan, Kevin]

Title: Message

I haven't done it, but understand that you can set an attribute of an object to be hidden.  That ought to do it.     +-------------------------------------------------------------------+ Kevin Flanagan C/S Planning Engineer III I/T Implementation Department Branch Banking & Trust Company 3261 Atlantic Avenue, Suite 116 MC: 172-85-01-00 Raleigh, NC  27604 Voice: 919-716-6209 -----Original Message----- From: Barber, Tom [mailto:[EMAIL PROTECTED]] Sent: Friday, August 10, 2001 11:29 AM To: [EMAIL PROTECTED] Subject: FW: [ActiveDir] Yes, I made sure the "Apply to this object and all child objects" was selected; in fact, after I changed the permissions I actually looked at some of the User objects to verify inheritance was working.   And yes, after changing the permissions, I manually forced replication to all the domain controllers via multiple repadmin /sync commands to all my DCs.   Anything else it could be?   -Tom Barber Systems Manager Alfred State College Alfred, NY 14802 (607)587-3558   -----Original Message----- From: Steve Judd [mailto:[EMAIL PROTECTED]] Sent: Friday, August 10, 2001 10:27 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir]   Did you specify "Apply to this object and all child objects" when you applied the ACE?  Also, if you have multiple DC's, did you allow enough time for the security change to replicate to your GC? -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Barber, Tom Sent: Friday, August 10, 2001 5:28 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Greetings.   We are currently running Active Directory in mixed mode.   I would like to utilize one or more properties listed with User class objects to store some information - mainly the EmployeeID property and possibly another property.  I would like the values in these properties to be unavailable to most users via Active Directory searches.   I have used ADSIEdit (an MMC plug-in that you need to install from the Windows 2000 Server CD's Support Tools) to look at permissions on the Users Container, which contains all of my User class objects; however, when I use DENY permissions on the Read EmployeeID property for all User Objects, it still allows the EmployeeID to be searched (by a member of the group) and displayed.   You would think this type of permissions-based limiting of access to properties would be well documented by Microsoft; unfortunately it is doesn't seem to be.  I know there are a few KB Articles on setting permissions on the User class object itself, but I can't find any procedure or step-by-step listing how to do this to the container object so all objects within the container will inherit the permissions.   I believe this type of setting would benefit any organization that wanted to keep part of their AD Properties more confidential.   Does anyone know if mixed mode is the reason I can not get this to work? Does anyone have a procedure on how to set permissions on a Container object so you can limit search access to specific properties on User Objects?   Thanks!     -Tom Barber Systems Manager Alfred State College Alfred, NY 14802 (607)587-3558