Sure. I just posted a message here already about
delegating computer object stuff, but the user object stuff is pretty much the
same. Let's say you don't want your users to change their phone number,
for example. One point on this example - by default, all users have the
right (or more appropriately - the permission) to modify their OWN information,
so we'll need to take it away.
1. Go to the Domain or OU level of choice, right
click / properties / Security / Advanced UI
2. If not already there, add the SELF
principal. Makes life easier - see caveat [1]
3. Select the Properties tab,
'Apply on to:' and choose User Object
4. Check in the DENY column
fields that you do not want the user to be able to Write to - the will still be
able to View it.
5. Apply / OK / OK should get
it done.
[1] Caveat - make sure that you plan this
carefully. SELF is great for this, unless you REALLY want to assign this
explicitly to each and every user. Denys, as always are very nasty and a
misplaced one can be very hard to track down. Apply this on to an OU for
your users, leaving the Administrative accounts
unscathed.
Rick Kingslan MCSE, MCSA,
MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB
Sent: Wednesday, July 16, 2003 2:41 PM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] Locking Down User Information Fields in AD
Just
curious how I would go about stopping a user from being able to update their
address, website, etc under their own
account. AD...
Basically
I want them only to be able to update their own phone # and nothing else and I
would also like to force it to be strictly a numeric only field (which it isn't
by default.)
Any
ideas??
Thanks,
-Tim
