AD Attribute Permissions

Giganews Newsgroups
Subject: AD Attribute Permissions
Posted by:  Aaron.Smiā€¦@kzoo.edu (Aaron.Smi…@kzoo.edu)
Date: 11 Jul 2006

I know HOW to do what I want to do, but I'm wondering if there's a
cleaner way to do it that I haven't noticed yet.  Basically, I want to
control who and who can't Read particular attributes of users in Active
Directory, namely customAttribute1 and customAttribute2.  I want to set
it so that only members of one particular group and read those
attributes.  Now, I know that I can go into the Security tab of the OU
and remove the Read permission for those attributes from the
Authenticated Users group, and then add a specific group that DOES have
the read permission.  And that seems like it works just fine, but it
makes the Access list really bulky because it creates a Read and a
Write permission for EACH AD attribute EXCEPT the ones.  Anyone have
any thoughts on a more elegant way of doing this?

Replies