Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Schema User attribute question
Schema User attribute question [message #420569] Fri, 26 March 2010 16:24 Go to next message
voodooking  is currently offline voodooking
Messages: 2
Registered: March 2010
Junior Member
i have a business requirement to accomplish the following.
parent domain A
child domain b

create a mandatoru user attribute that would be applied to all users A & B
but is only editable by Domain a domain admins - no domain b users
(including Domain b domain admins) should be able modify this attribute

is this possible?
Re: Schema User attribute question [message #420758 is a reply to message #420569] Sat, 27 March 2010 04:09 Go to previous messageGo to next message
Andrei Ungureanu  is currently offline Andrei Ungureanu  Romania
Messages: 82
Registered: July 2009
Member
Although it may be possible to block them by accidentally change that
attribute value (using ACLs at the domain root), I don't think you can block
them completely. A domain admin is the service admin for that domain, so he
can grant himself permissions at any time.
Remember that in AD, a domain is only an administrative boundary, and the
forest is the security boundary.

If you want to do that only for regular users, that’s simple - set
permissions at the top of the domain using dsacls.

Andrei
www.winadmins.net

"voodooking" <voodooking@discussions.microsoft.com> wrote in message
news:5AB6488D-321A-4AD2-8FF4-80B08C37EFE9@microsoft.com...
> i have a business requirement to accomplish the following.
> parent domain A
> child domain b
>
> create a mandatoru user attribute that would be applied to all users A & B
> but is only editable by Domain a domain admins - no domain b users
> (including Domain b domain admins) should be able modify this attribute
>
> is this possible?
>
Re: Schema User attribute question [message #421803 is a reply to message #420758] Mon, 29 March 2010 10:26 Go to previous message
voodooking  is currently offline voodooking
Messages: 2
Registered: March 2010
Junior Member
yeah-thats what i thought --- thanks for your time

"Andrei Ungureanu" wrote:

> Although it may be possible to block them by accidentally change that
> attribute value (using ACLs at the domain root), I don't think you can block
> them completely. A domain admin is the service admin for that domain, so he
> can grant himself permissions at any time.
> Remember that in AD, a domain is only an administrative boundary, and the
> forest is the security boundary.
>
> If you want to do that only for regular users, that’s simple - set
> permissions at the top of the domain using dsacls.
>
> Andrei
> www.winadmins.net
>
> "voodooking" <voodooking@discussions.microsoft.com> wrote in message
> news:5AB6488D-321A-4AD2-8FF4-80B08C37EFE9@microsoft.com...
> > i have a business requirement to accomplish the following.
> > parent domain A
> > child domain b
> >
> > create a mandatoru user attribute that would be applied to all users A & B
> > but is only editable by Domain a domain admins - no domain b users
> > (including Domain b domain admins) should be able modify this attribute
> >
> > is this possible?
> >
> .
>
Previous Topic:Transferring Roles
Next Topic:password expiration
Goto Forum:
  


Current Time: Sat Jan 20 08:29:25 MST 2018

Total time taken to generate the page: 0.02991 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software