Restricting user from changing their own AD User attributes

Restricting user from changing their own AD User attributes

Post by Danie » Fri, 21 Jun 2002 01:05:20



We have a script that runs and populate some user's AD
fields like the Office, City, Country, address, etc.  

Now, users can change their own settings when navigating
Windows Exlorer / Network / Active Directory....

I know we can deny access (using SELF account) to some
user properties but I would like to do this globally on a
particular OU.  The problem is when I open the permissions
for this OU, I don't get all the individual user
attributes like street, ZIP code, State, etc....

How could I easily deny this write attribute permission
globally ??

Thanks

Daniel

 
 
 

Restricting user from changing their own AD User attributes

Post by Hans Schefsk » Fri, 21 Jun 2002 02:08:22


Go to the permission of the OU, click on ADVANCED button.
Select one of the entries and click on EDIT, go to the
PROPERTIES tab. There you will see DENY and ALLOW
settings for Postal Code, Street etc.

Hans Schefske
MyITFroum.com - Columnist

Quote:>-----Original Message-----
>We have a script that runs and populate some user's AD
>fields like the Office, City, Country, address, etc.  

>Now, users can change their own settings when navigating
>Windows Exlorer / Network / Active Directory....

>I know we can deny access (using SELF account) to some
>user properties but I would like to do this globally on
a
>particular OU.  The problem is when I open the
permissions
>for this OU, I don't get all the individual user
>attributes like street, ZIP code, State, etc....

>How could I easily deny this write attribute permission
>globally ??

>Thanks

>Daniel

>.


 
 
 

Restricting user from changing their own AD User attributes

Post by Joe Richards [MVP » Mon, 24 Jun 2002 23:59:44


I think you maybe SOL unless you modify the ACL's on the properties in the
SCHEMA or are willing to modify the ACL's on every user object.

AD has two levels of permissions; inherited and direct. Within these two
levels you have access and deny. Now you have a little algorithm that
controls how those permissions work.

In general in NT it was always the case where a DENY permission denied
access completely, it couldn't be overridden with any other permissions
given. This is not the case in AD.

Inherited permissions are "weaker" than the direct permissions. This means
that a DENY permission from an inheritence CAN BE OVERRIDDEN by a GRANT
permission that is directly given. All user objects get GRANT permission to
change their own personal information directly when they are created. So no
amount of inherited permissions would DENY that access. You would have to
remove the actual GRANT permission from each and every user object.

--
Joe Richards
www.joeware.net
---


Quote:> We have a script that runs and populate some user's AD
> fields like the Office, City, Country, address, etc.

> Now, users can change their own settings when navigating
> Windows Exlorer / Network / Active Directory....

> I know we can deny access (using SELF account) to some
> user properties but I would like to do this globally on a
> particular OU.  The problem is when I open the permissions
> for this OU, I don't get all the individual user
> attributes like street, ZIP code, State, etc....

> How could I easily deny this write attribute permission
> globally ??

> Thanks

> Daniel

 
 
 

1. AD Changes User Names on own when moving users

Hey all,

I am fairly new to active directory, been working with it
for a few months now.  I have encountered a problem that I
havent been able to find an answer on the internet and no
one knows how to fix it in my office.  We have a lot of
users who leave for a few months at a time and we disable
their accounts while they are gone.  I change the display
name to display when they will be ariving back so I know
when to enable their account.  I also move their account
to a disabled users folder under the Users folder.  The
problem I encountered is when I move the users.  Whatever
I added next to their name disappears either a day later
or it will wait a few days before changing.  Almost every
person changes so I have to do twice the work.  If I
change the name and don't move the user, the user will not
change back.  It only happenes when I move the user.

ex. John Smith - 1/4/03

When I move this user to the disabled users list, the
 - 1/4/03 part will disappear but his name will stay.  
Nothing else changes either.  It's rather annoying because
sometimes I change dozens of users a day and when I come
back their changed back so I have to go back through all
the paperwork to find out what I previously put there.  
Does anyone have any idea or any answers?  I would greatly
appreciate it.

Thanks a lot,

Don

generic levitra india
generic levitra india
what happens if a woman takes viagra

2. Touch screen not respoding

3. How To Display Other User Attributes in AD User & Computers

4. INFO: A guide to the Windows newsgroups

5. users changing their own AD properties, part II

6. looking for free auto cad .....

7. How to change multiple user settings in AD users and computers

8. ADOdb for Python

9. local admins - restrict domain wide changes - restrict from AD tree

10. Q: AD attributes owned by SAM

11. AD and scalability -adding users, attributes and groups-

12. Display/Edit new AD User attributes

13. import/update attribute for user in AD