A better (read: more extensible) scheme would be create a single application object for each application you wish to secure, and use the ACLs on the objects to control access to the application. For instance, if the application is domain specific, you might put the application object in the CN=Program Data,DC=domain container. If it is an enterprise app, you might create a container somewhere under CN=Services,CN=Configuration,... To check if someone has access to run the app, just have the app read the obejct. If the app can read the object, the user can run the app, otherwise not.
-gil -----Original Message----- From: Sharma, Shshank [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 1:35 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Extending the Active Directory Schema I am thinking about something similar, such as adding attributes like allowAccessToApplicationX, allowAccessToApplicationY and so on, for users. How easy is doing something like this, anyone ? ./Shshank -----Original Message----- From: Pennell, Ronald B. [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:14 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Extending the Active Directory Schema Has anyone extended the active directory to include the employee number as a displayed field? I understand that this field exists, but not no attributes has been set. I want to add the employee number in the displayed items when setting up the user account. Running W2K Sp3... Ron Pennell [EMAIL PROTECTED] List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
