locked
Block Attribute View From Certain Users RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    We are looking to populate our "Telephone Number" field in Active Directory with afterhours contact information for a small subset of our users.  However, we don’t want this information visible to everyone in Active Directory.  Is it possible to restrict access to view such attributes via GPO or group membership or the like?  I have searched several forums but haven’t come across an answer just yet.  The vast majority of our users would be viewing such information through Outlook 2010 or by synching their phones with Exchange.

    Any insight on how this might be achieved would be greatly appreciated. 

    Friday, November 30, 2012 4:07 PM

Answers

  • Question
    Sign in to vote
    0
    Sign in to vote

    In your AD environment the telephoneNumber attribute is a member of the Personal Information Property Set (http://technet.microsoft.com/en-us/library/cc728117(v=ws.10).aspx) and by default all Authenticated Users have Read access on the property set on all user objects.

    The quickest way to deny most of your users the ability to see this field but allow some users to do so would be to remove the attribute from the property set in your schema, then use an AD group for the subset of users and grant them read access to the attribute on all user objects.  However you probably don't want to be modifying the built-in property sets in your schema.

    The way to do it without schema modification would be to create two AD groups - one for the subset of users and one for everyone else.  You can deny read on telephoneNumber on all user objects for the larger group containing most of your employees, and can allow read on telephoneNumber for the smaller subset.  This isn't a great solution though since you have to update the larger group every time you hire/term.

    An alternate solution would be to use one of the attributes not in any property set for this purpose.  You won't have to create any deny rules on the attribute, only an allow Read rule for the subset of users and a Read/Write rule for whoever needs to set the property (e.g. your HR staff).  You could use one of the extensionAttributes for this for example.  Of course the problem with this approach is that the property will not appear in Outlook or Contacts via EAS, you will have to do something custom for them to access the information.

    I would consider the schema option if you aren't too squeamish about that since it is the simplest solution.  Edit:  By the way, this might be unsupported.

    • Edited by Neil Frick Friday, November 30, 2012 4:56 PM
    • Marked as answer by 朱鸿文 Tuesday, December 4, 2012 7:45 AM
    Friday, November 30, 2012 4:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    This could be done using the Security permissions of the OUs holding these users or the user accounts themselves. Of course, using Security permissions on OU level is easier because, by default, these permissions will be inherited.

    You can create a group which contains users who will be allowed to read this attribute and grant Read attribute permission for them. For others, this can be denied explicitely or implicitely.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Edited by Mr XMVP Sunday, December 2, 2012 4:10 PM
    • Marked as answer by 朱鸿文 Tuesday, December 4, 2012 7:45 AM
    Sunday, December 2, 2012 4:09 PM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote

    In your AD environment the telephoneNumber attribute is a member of the Personal Information Property Set (http://technet.microsoft.com/en-us/library/cc728117(v=ws.10).aspx) and by default all Authenticated Users have Read access on the property set on all user objects.

    The quickest way to deny most of your users the ability to see this field but allow some users to do so would be to remove the attribute from the property set in your schema, then use an AD group for the subset of users and grant them read access to the attribute on all user objects.  However you probably don't want to be modifying the built-in property sets in your schema.

    The way to do it without schema modification would be to create two AD groups - one for the subset of users and one for everyone else.  You can deny read on telephoneNumber on all user objects for the larger group containing most of your employees, and can allow read on telephoneNumber for the smaller subset.  This isn't a great solution though since you have to update the larger group every time you hire/term.

    An alternate solution would be to use one of the attributes not in any property set for this purpose.  You won't have to create any deny rules on the attribute, only an allow Read rule for the subset of users and a Read/Write rule for whoever needs to set the property (e.g. your HR staff).  You could use one of the extensionAttributes for this for example.  Of course the problem with this approach is that the property will not appear in Outlook or Contacts via EAS, you will have to do something custom for them to access the information.

    I would consider the schema option if you aren't too squeamish about that since it is the simplest solution.  Edit:  By the way, this might be unsupported.

    • Edited by Neil Frick Friday, November 30, 2012 4:56 PM
    • Marked as answer by 朱鸿文 Tuesday, December 4, 2012 7:45 AM
    Friday, November 30, 2012 4:40 PM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello,

    This could be done using the Security permissions of the OUs holding these users or the user accounts themselves. Of course, using Security permissions on OU level is easier because, by default, these permissions will be inherited.

    You can create a group which contains users who will be allowed to read this attribute and grant Read attribute permission for them. For others, this can be denied explicitely or implicitely.

    This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    • Edited by Mr XMVP Sunday, December 2, 2012 4:10 PM
    • Marked as answer by 朱鸿文 Tuesday, December 4, 2012 7:45 AM
    Sunday, December 2, 2012 4:09 PM
  • Question
    Sign in to vote
    1
    Sign in to vote

    You can use the approach described in http://www.windowsitpro.com/article/active-directory/hiding-data-active-directory-142135 and  http://www.windowsitpro.com/article/active-directory/hiding-data-active-directory-part2-143605

    Hope this helps

    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Monday, December 3, 2012 4:16 AM