This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 51%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJZ%3C/text%3E%3C/svg%3E)
Dear community,
I am seeking help to find means to manage access to user scheme attribute access. The intention is to disallow authenticated user or domain user to read some scheme user attribute such as carlicense, but select group and admin can read & write. Thank you.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(256, 74%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERM%3C/text%3E%3C/svg%3E)
You can do this through the Active Directory Users and Computers GUI. You need to add a new ACE to the ACL, usually at the Organizational Unit that prohibits the "read" permission for that property (the "write" permission is probably already prohibited).
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(67.2, 68%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELT%3C/text%3E%3C/svg%3E)
Hello there,
The quickest way to deny most of your users the ability to see this field but allow some users to do so would be to remove the attribute from the property set in your schema, then use an AD group for the subset of users and grant them read access to the attribute on all user objects. However, you probably don't want to be modifying the built-in property sets in your schema.
The way to do it without schema modification would be to create two AD groups - one for the subset of users and one for everyone else. You can deny reading on carlicense on all user objects for the larger group containing most of your employees and can allow reading on carlicense, for the smaller subset. This isn't a great solution though since you have to update the larger group every time you hire/term.
Similar discussion here https://social.technet.microsoft.com/Forums/windowsserver/en-US/85322289-3815-4671-a33e-0bb934236e1c/block-attribute-view-from-certain-users?forum=winserverDS
Hope this resolves your Query !!
--If the reply is helpful, please Upvote and Accept it as an answer–