all extended rights permission -alternative

amitay 1 Reputation point
2022-11-02T07:15:38.58+00:00

Hey
We want to limit users in viewing passwords only to their workstation, we saw that we should give them:

All extended rights
ms-mcs-admpwd

We want to know if there is a possibility to "chunk" All extended rights
and provide other more limited privileges.
I didn't find anything similar online, is there such a possibility?
to be more clear, we dont want to give them " All extended rights" we want to give the less permission.
what can we do?

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,770 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Gary Reynolds 9,391 Reputation points
    2022-11-02T11:04:21.87+00:00

    Hi @amitay

    Read this section of this article which example how to limit the permissions that granted to be able to read a confidential attribute. You can either assign the permission at the ou level with a single group or manually assign the user specific rights to their workstation object.

    https://learn.microsoft.com/en-us/troubleshoot/windows-server/windows-security/mark-attribute-as-confidential#generic-and-object-specific-access-control-entries

    Gary.

    0 comments