Location: List Archives

List Archives

This forum is an archive of all posts to our mailing list over the past few years.  The forum is set read only therefore to contribute you will need to join our list community.  See more info about this here.

List Archives

Forums >ActiveDir Mail List Archive >List Archives
Subject: RE: [ActiveDir] AD attribute
Prev Next
You are not authorized to post a reply.

AuthorMessages
listmailUser is Offline

Posts:428

08/21/2005 7:21 AM  
This is basically what we were discussing in the last post I responded to
earlier today. You need to pick an attribute, determine how the accesses are
granted and think of a way to attack it.

I would probably look at employeeID or employeeNumber, neither of which I
believe are in property sets. The big thing you have to overcome would be
the ACE for the Pre-W2K compatability access because you probably have that
enabled. Luckily that access is granted through an inherited ACE from the
domain root so you can insert a deny at that level to block that access. Now
you need to regrant to any groups you want to see it (other than acc op,
admins, etc who have explicit FCs anyway) by going to a lower level in the
hierarchy and granting an inherited grant to the group you created of who
should get access.



-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
Sent: Friday, August 19, 2005 1:38 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: Re: [ActiveDir] AD attribute

I'm running win2k in native mode.
how would I do this in win2k AD?

Thanks

On 8/19/05, Marc A. Mapplebeck wrote:
> This is a step by step to add the attribute and extend the display
> specifier to allow it to be modified.
> http://www.informit.com/articles/article.asp?p=169630&rl=1
> Hope this helps - Marc
>
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom Kern
> Sent: August 19, 2005 13:55
> To: activedirectory
> Subject: [ActiveDir] AD attribute
>
> My org wants to put social security #'s in AD as a user attrib(hidden
> from users, of course) How would I go about doing this?
>
> Thanks
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
You are not authorized to post a reply.
Forums >ActiveDir Mail List Archive >List Archives > RE: [ActiveDir] AD attribute



ActiveForums 3.7
AdventNet Banner
Friends

Friends

Namescape
Members

Members

MembershipMembership:
Latest New UserLatest:adamswifty
New TodayNew Today:2
New YesterdayNew Yesterday:1
User CountOverall:4263
People OnlinePeople Online:
VisitorsVisitors:80
MembersMembers:0
TotalTotal:80
Online NowOnline Now:

Ads

Copyright 2008 ActiveDir.org
Terms Of Use