Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Employee ID field
Employee ID field [message #161117] Wed, 16 September 2009 09:44 Go to next message
Brion  is currently offline Brion  United States
Messages: 26
Registered: September 2009
Junior Member
We wanted to start using the Employee ID field in AD, so I followed the
instructions here:
http://www.tech-archive.net/Archive/Windows/microsoft.public .windows.server.active_directory/2005-08/msg01766.html

and it works! Great!

Now the only problem is that I need to lock down the permissions on the
Employee ID field. Our Employee ID is confidential, so we don't want people
looking up other people's IDs. But right now, any member of the domain can
sit at any computer and type...

dsget user <DN> -empid

....and get someone else's Employee ID. Not good.

How can I lock this down so that only domain admins have the ability to
view/edit the Employee ID field?

Thanks!
Re: Employee ID field [message #161119 is a reply to message #161117] Wed, 16 September 2009 10:01 Go to previous messageGo to next message
Marcin  is currently offline Marcin  United States
Messages: 273
Registered: July 2009
Senior Member
It is part of the base schema, so you can not mark it as confidential...
You will need to either use another existing attribute (which does not have
the same restriction) - or create a custom one...

hth
Marcin

"Brion" <blah@blah.com> wrote in message
news:%23JNfLSuNKHA.3552@TK2MSFTNGP04.phx.gbl...
> We wanted to start using the Employee ID field in AD, so I followed the
> instructions here:
> http://www.tech-archive.net/Archive/Windows/microsoft.public .windows.server.active_directory/2005-08/msg01766.html
>
> and it works! Great!
>
> Now the only problem is that I need to lock down the permissions on the
> Employee ID field. Our Employee ID is confidential, so we don't want
> people looking up other people's IDs. But right now, any member of the
> domain can sit at any computer and type...
>
> dsget user <DN> -empid
>
> ...and get someone else's Employee ID. Not good.
>
> How can I lock this down so that only domain admins have the ability to
> view/edit the Employee ID field?
>
> Thanks!
Re: Employee ID field [message #161131 is a reply to message #161117] Wed, 16 September 2009 23:53 Go to previous message
florian  is currently offline florian  Switzerland
Messages: 484
Registered: July 2009
Senior Member
Howdie!

Brion schrieb:
> Now the only problem is that I need to lock down the permissions on the
> Employee ID field. Our Employee ID is confidential, so we don't want
> people looking up other people's IDs. But right now, any member of the
> domain can sit at any computer and type...

I guess you'll have to change the permission on the attribute so that
"Authenticated Users" don't have a "Read" permission on the attribute.

Cheers,
Florian
--
Microsoft MVP - Group Policy
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
Maillist (german): http://frickelsoft.net/cms/index.php?page=mailingliste
Previous Topic:GROUP Policy
Next Topic:GPO Problems
Goto Forum:
  


Current Time: Fri Jan 19 00:39:38 MST 2018

Total time taken to generate the page: 0.01918 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software