none
AD Permission = Only Copy EmailID Attribute

    Question

  • Hi All, 

    I want to give helpdesk users the following permission on Active directory 

    1. Read all User Properties
    2. Only Copy Emailaddress attribute of user's and no other attribute

    How to achive this. 

    Regards,
    Thads

    tfernandes

    Sunday, March 26, 2017 11:07 AM

Answers

  • You cannot copy it from the Active Directory Users and Computers console, but you can do this in many ways - for example, one would by running the following from the Command Prompt:

    dsquery user -name Pradeep | dsget user -email

    and then copying the output from the Command Prompt

    There are many other ways that anyone can use to retrieve/copy the same information

    hth
    Marcin

    Tuesday, March 28, 2017 10:32 AM

All replies

  • Could you clarify what do you mean by "copy"? Copy to where?

    hth
    Marcin

    Sunday, March 26, 2017 11:31 AM
  • HI

    if you can copy, then you can read. there is a permission called Read all properties, make sure you can apply it to all descendant user objects and that way your helpdesk can read all the properties (yes this will include any custom properties created as well)

    Sunday, March 26, 2017 4:45 PM
  • Copy to CLIPBOARD - I want them only to Copy Email attribute to clipboard - Other attributes they should be able to read but not copy 

    tfernandes

    Sunday, March 26, 2017 7:13 PM
  • There is no way you can prevent it. You can read AD attributes in a variety of ways - including, for example, from the Command Prompt, a PowerShell session, and a variety of Microsoft and third party utilities. At that point, this is no longer something that AD controls

    hth
    Marcin

    Sunday, March 26, 2017 8:02 PM
  • Hi Thads,
    In my experience, if someone could read something, we can’t control them to “copy” anything at all, because once users could read something, they could “copy” what they need by pressing the screenshot of their computers.
    Generally, we could control users to read or write specific user properties attributes via delegate control wizard, please see details from: https://dani3lr.wordpress.com/2009/07/25/delegation-control-to-modify-only-certain-user-attributes-part-1/
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, March 27, 2017 8:09 AM
    Moderator
  • Hi all, 

    I've given read permission as in screenshot - still user is finding all fields greyed out & cannot copy using right click. 


    tfernandes

    Monday, March 27, 2017 9:22 AM
  • Presumably you are referring to the interface of Active Directory Users and Computers.

    Anyone with read permissions can read the attribute by using other means (e.g. dsget command line utility) and copy the results

    hth
    Marcin

    Monday, March 27, 2017 11:08 AM
  • You cannot copy it from the Active Directory Users and Computers console, but you can do this in many ways - for example, one would by running the following from the Command Prompt:

    dsquery user -name Pradeep | dsget user -email

    and then copying the output from the Command Prompt

    There are many other ways that anyone can use to retrieve/copy the same information

    hth
    Marcin

    Tuesday, March 28, 2017 10:32 AM
  • Thanks for the reply. 

    The requirement is that the user should open Active directory user's and computers & should be able to right click > Copy the email ID and then paste in notepad / word. 

    After giving Read All user properties also the user is unable to copy email ID attribute. 

    He will not user powershell and do get-aduser command 

    He wants to use ACtive directory user's and computers only. 

    Kindly advise. 


    tfernandes

    Saturday, April 1, 2017 8:10 AM
  • Hi,
    According to your description, i doubt that there is such way to do as you request.
    Best Regards,
    Wendy Jiang

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, April 4, 2017 5:46 AM
    Moderator