Adding a Custom Attribute in AD and Only Give Access to Certain Groups

Tony Saunders 1 Reputation point
2020-09-09T23:54:12.677+00:00

Working on Active Directory in a Windows Server 2012R2 / 2016 environment (with Exchange 2016).

I want to enter everyone's cell phone number into AD and then have that information be searchable in Outlook, OWA, and the GAL on configured mobile devices.

I think that's pretty straightforward, but here's where I'm getting stuck. I only want certain people/groups to be able to see the cell phone numbers. I think that this might involve creating a custom attribute, but I'm not sure. Any help would be greatly appreciated.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
3,611 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
6,082 questions
{count} votes

2 answers

Sort by: Most helpful
  1. Andy David - MVP 109.5K Reputation points Microsoft MVP
    2020-09-10T00:09:52.847+00:00

    There really isnt a clean way to do this.

    The only real segmentation technique in Exchange are Address Book Policies, but in your scenario, they wouldn't apply when you really just want to keep some users from seeing a specific attribute and there is no supported way to do that in Exchange or Outlook.

    No comments

  2. Hannah Xiong 6,161 Reputation points
    2020-09-10T07:56:54.943+00:00

    Hello,

    Thank you so much for posting here.

    It is not possible to hide phone numbers from the GAL. If we do not want most of people to be able to see the sensitive information, adding them in AD may not be the right option.

    Here are the similar cases for your reference:
    https://social.technet.microsoft.com/Forums/en-US/dcfbfbd8-ed95-4291-8f9c-fe42a8c20bec/hide-phone-number-attribute-in-ad?forum=winserverDS

    https://social.technet.microsoft.com/Forums/en-US/47d55232-15d9-44de-9bc8-e122673ad7dc/hiding-phone-number-in-gal?forum=onlineservicesexchange

    We could deny access to the attribute for people querying your AD by updating the permission on the OU containing the users. Below is my test: the user U2 will not be able to access the phone number information of user 11.

    23782-11.png

    Open AD users and computers
    Select the Users OU (In my case, it is ou1), right click user account 11 and select properties
    Select the Security Tap
    Select Advances button
    Select the ADD button and add the users or groups you do not want them to access the phone number attribute (In my case, it is user U2)

    23752-1.png

    Then, from the list with the permissions entries, select the users or group we just added (user U2)
    In the Type checkbox, select: Deny
    In the Applies to dropdown box select: This objects only

    23636-1.png

    Click "Clear all" and then check "Read Telephone Number".

    23659-5.png

    23738-4.png

    Then this user U2 will not be able to access the Phone number information of user 11. For example:

    23668-12.png

    For any question, please feel free to contact us.

    Best regards,
    Hannah Xiong