Controlling access to the active directory attribute: mail

Controlling access to the active directory attribute: mail

Post by Scott Coope » Thu, 05 Dec 2002 07:00:58



My company wants to find a way to control who can update the LDAP mail
attribute.

To be effective, the procedure needs to affect the default security for this
attribute so that new and existing objects will have this attribute
controlled whether or not the object is enabled for exchange mail.

Thank you in advance for your help.

Scott Cooper

 
 
 

Controlling access to the active directory attribute: mail

Post by Dmitri Gavrilov [MS » Thu, 05 Dec 2002 09:46:30


The easiest (and most correct) way to accomplish this is to add an
inheritable ACE somewhere at the top of the hierarchy (users container, for
example) granting access to the required trustee (some security group). In
security dialogs, click Advanced, add an ace and select "properties" tab in
the ace dialog. There, you can specify read/write access to specific
properties. You might need to select "apply to users" in the drop down
below.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


Quote:> My company wants to find a way to control who can update the LDAP mail
> attribute.

> To be effective, the procedure needs to affect the default security for
this
> attribute so that new and existing objects will have this attribute
> controlled whether or not the object is enabled for exchange mail.

> Thank you in advance for your help.

> Scott Cooper


 
 
 

Controlling access to the active directory attribute: mail

Post by Scott Coope » Thu, 05 Dec 2002 11:26:46


Can you tell me specificly which attribute or property we should set our ACE
to?



> The easiest (and most correct) way to accomplish this is to add an
> inheritable ACE somewhere at the top of the hierarchy (users container,
for
> example) granting access to the required trustee (some security group). In
> security dialogs, click Advanced, add an ace and select "properties" tab
in
> the ace dialog. There, you can specify read/write access to specific
> properties. You might need to select "apply to users" in the drop down
> below.

> --
> Dmitri Gavrilov
> SDE, Active Directory Core

> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm



> > My company wants to find a way to control who can update the LDAP mail
> > attribute.

> > To be effective, the procedure needs to affect the default security for
> this
> > attribute so that new and existing objects will have this attribute
> > controlled whether or not the object is enabled for exchange mail.

> > Thank you in advance for your help.

> > Scott Cooper

 
 
 

Controlling access to the active directory attribute: mail

Post by Dmitri Gavrilov [MS » Thu, 05 Dec 2002 14:20:26


I don't know which attribute is responsible for this. Someone from exchange
would know.

--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


> Can you tell me specificly which attribute or property we should set our
ACE
> to?



> > The easiest (and most correct) way to accomplish this is to add an
> > inheritable ACE somewhere at the top of the hierarchy (users container,
> for
> > example) granting access to the required trustee (some security group).
In
> > security dialogs, click Advanced, add an ace and select "properties" tab
> in
> > the ace dialog. There, you can specify read/write access to specific
> > properties. You might need to select "apply to users" in the drop down
> > below.

> > --
> > Dmitri Gavrilov
> > SDE, Active Directory Core

> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm



> > > My company wants to find a way to control who can update the LDAP mail
> > > attribute.

> > > To be effective, the procedure needs to affect the default security
for
> > this
> > > attribute so that new and existing objects will have this attribute
> > > controlled whether or not the object is enabled for exchange mail.

> > > Thank you in advance for your help.

> > > Scott Cooper

 
 
 

Controlling access to the active directory attribute: mail

Post by Tonino Brun » Thu, 05 Dec 2002 17:55:14


I am not sure if you want to mess with that but I guess that you could
change the proxyaddresses attribute, this contains all your mail addresses
included smtp/ccmail/x400 etc..

But remember Exchange 2000 has it's own process that maintains that field
throughout the Exchange organization and this process is called the "RUS -
Recipient Update Service"

--
Sincerely;
Tony Bruno
Http:\\www.phreakazoid.Be

Note: Please do always provide feedback on your problem, other people might
be interested in it.



> I don't know which attribute is responsible for this. Someone from
exchange
> would know.

> --
> Dmitri Gavrilov
> SDE, Active Directory Core

> This posting is provided "AS IS" with no warranties, and confers no
rights.
> Use of included script samples are subject to the terms specified at
> http://www.microsoft.com/info/cpyright.htm



> > Can you tell me specificly which attribute or property we should set our
> ACE
> > to?



> > > The easiest (and most correct) way to accomplish this is to add an
> > > inheritable ACE somewhere at the top of the hierarchy (users
container,
> > for
> > > example) granting access to the required trustee (some security
group).
> In
> > > security dialogs, click Advanced, add an ace and select "properties"
tab
> > in
> > > the ace dialog. There, you can specify read/write access to specific
> > > properties. You might need to select "apply to users" in the drop down
> > > below.

> > > --
> > > Dmitri Gavrilov
> > > SDE, Active Directory Core

> > > This posting is provided "AS IS" with no warranties, and confers no
> > rights.
> > > Use of included script samples are subject to the terms specified at
> > > http://www.microsoft.com/info/cpyright.htm



> > > > My company wants to find a way to control who can update the LDAP
mail
> > > > attribute.

> > > > To be effective, the procedure needs to affect the default security
> for
> > > this
> > > > attribute so that new and existing objects will have this attribute
> > > > controlled whether or not the object is enabled for exchange mail.

> > > > Thank you in advance for your help.

> > > > Scott Cooper

 
 
 

Controlling access to the active directory attribute: mail

Post by Jeff Jones [MS » Fri, 06 Dec 2002 01:22:20


If you are trying to find a mapping of a field in Active Directory Users &
Computers to the underlying AD attribute look here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netd...
appings_for_the_active_directory_users_and_computers_snap-in.asp

"mail" is an attribute of the user object and cooresponds to the E-mail
field in the UI.

--
Jeff Jones [MS]
Active Directory Administration Tools Development
Microsoft Corporation
This posting is provided "AS IS" with no warranties, and confers no rights.


> Can you tell me specificly which attribute or property we should set our
ACE
> to?



> > The easiest (and most correct) way to accomplish this is to add an
> > inheritable ACE somewhere at the top of the hierarchy (users container,
> for
> > example) granting access to the required trustee (some security group).
In
> > security dialogs, click Advanced, add an ace and select "properties" tab
> in
> > the ace dialog. There, you can specify read/write access to specific
> > properties. You might need to select "apply to users" in the drop down
> > below.

> > --
> > Dmitri Gavrilov
> > SDE, Active Directory Core

> > This posting is provided "AS IS" with no warranties, and confers no
> rights.
> > Use of included script samples are subject to the terms specified at
> > http://www.microsoft.com/info/cpyright.htm



> > > My company wants to find a way to control who can update the LDAP mail
> > > attribute.

> > > To be effective, the procedure needs to affect the default security
for
> > this
> > > attribute so that new and existing objects will have this attribute
> > > controlled whether or not the object is enabled for exchange mail.

> > > Thank you in advance for your help.

> > > Scott Cooper