I think you maybe SOL unless you modify the ACL's on the properties in the
SCHEMA or are willing to modify the ACL's on every user object.
AD has two levels of permissions; inherited and direct. Within these two
levels you have access and deny. Now you have a little algorithm that
controls how those permissions work.
In general in NT it was always the case where a DENY permission denied
access completely, it couldn't be overridden with any other permissions
given. This is not the case in AD.
Inherited permissions are "weaker" than the direct permissions. This means
that a DENY permission from an inheritence CAN BE OVERRIDDEN by a GRANT
permission that is directly given. All user objects get GRANT permission to
change their own personal information directly when they are created. So no
amount of inherited permissions would DENY that access. You would have to
remove the actual GRANT permission from each and every user object.
> We have a script that runs and populate some user's AD
> fields like the Office, City, Country, address, etc.
> Now, users can change their own settings when navigating
> Windows Exlorer / Network / Active Directory....
> I know we can deny access (using SELF account) to some
> user properties but I would like to do this globally on a
> particular OU. The problem is when I open the permissions
> for this OU, I don't get all the individual user
> attributes like street, ZIP code, State, etc....
> How could I easily deny this write attribute permission
> globally ??