We have done this. It is OK to do. FYI: users can access most objects and attributes via LDAP. You can place security on these items. However, If an application is expecting to read this item, it will fail. Example would be exchange. If you block certain attributes, users can not authenticate or send mail etc.
-----Original Message----- From: King, Arron S. [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 26, 2002 1:51 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Default read permissions for Authenticated Users We've just begun to populate part of the AD with an ID Number that was previously kept in a separate database. We've noticed that anyone (particularly guest) can "read" attributes using ADSIedit. It appears that the default permissions on objects are to allow authenticated users to read. We would like to change this so that only certain groups, can read that type of information. We've done some experimenting with changing that default permission. Has anyone else done this? Any problems or tips ? Thanks! Arron _________________________________________________ Arron King Network & Systems Administrator Ohio Dominican College voice - 614.251.4515 fax - 614.252.2650 [EMAIL PROTECTED] http:\\www.odc.edu\~kinga List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
