How to disallow authenticated user or domain user to read scheme user account attribute, such as carlicence.

Question

Dear community,

I am seeking help to find means to manage access to user scheme attribute access. The intention is to disallow authenticated user or domain user to read some scheme user attribute such as carlicense, but select group and admin can read & write. Thank you.

Answer 1

You can do this through the Active Directory Users and Computers GUI. You need to add a new ACE to the ACL, usually at the Organizational Unit that prohibits the "read" permission for that property (the "write" permission is probably already prohibited).

Answer 2

Hello there,

The quickest way to deny most of your users the ability to see this field but allow some users to do so would be to remove the attribute from the property set in your schema, then use an AD group for the subset of users and grant them read access to the attribute on all user objects. However, you probably don't want to be modifying the built-in property sets in your schema.

The way to do it without schema modification would be to create two AD groups - one for the subset of users and one for everyone else. You can deny reading on carlicense on all user objects for the larger group containing most of your employees and can allow reading on carlicense, for the smaller subset. This isn't a great solution though since you have to update the larger group every time you hire/term.

Similar discussion here https://social.technet.microsoft.com/Forums/windowsserver/en-US/85322289-3815-4671-a33e-0bb934236e1c/block-attribute-view-from-certain-users?forum=winserverDS

Hope this resolves your Query !!

--If the reply is helpful, please Upvote and Accept it as an answer–