Prev: Will this help?
Next: MailboxRegionalConfiguration
From: Alan on 9 Feb 2010 14:44 Fortunately there aren't that many VIPs so yes, I can just change the permissions on each user. Thanks again. Much appreciated. On Feb 8, 6:18 pm, "M" <m...(a)n.com> wrote: > I used to read Bill's column in one of the magazines, but then he stopped > writing the column. Anyway, I skimmed through the article and it looks like > it'll be a big help to you. It looks like it's walking you through how to > change the permissions for a entire OU though, which doesn't seem like > something you'd want to do since you only have a handful of VIPs. You'd > probably want to change the permissions directly on each user object. You > could put the VIPs in a special OU and modify the permissions on the OU, but > that could get messy to have a special OU just for this. > -- > Regards, > M > MCTS, MCSA > > "Alan" <bru...(a)gmail.com> wrote in message > > news:c41781f6-45a2-4858-8150-cc15ac72532a(a)q16g2000yqq.googlegroups.com... > Thanks a million for all the tips! Using the pointers, I found a this > great article which describes how to do something similar: > > http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Acc... > > Now the question is if there will be any side-effects in Outlook/ > Exchange from hiding the office location ... > > As for why, well 'cos the customer wants it that way. > > On Feb 5, 7:12 pm, "M" <m...(a)n.com> wrote: > > > Hello Alan: > > > I believe this can be done, but you must modify AD. Why would someone > > request this??? It's the office address, not a personal home address or > > phone number. I haven't done this myself, but I'm thinking that it can be > > done by setting permissions on the "office address" attributes of the VIP > > user objects. This will get you started: > > > 1.) In ADUC, select View --> Advanced Features. > > 2.) Open up your user object properties --> Security tab --> Advanced --> > > Highlight a random account --> Edit --> Properties tab --> scroll down to > > "Read Street Address." > > > Now you see how specific attributes have their own permissions. This level > > is very granular. I think if you deny a particular group/user, that > > account > > won't be able to see the attribute in the GAL, since the GAL is just a GC > > query. I think you can select "domain users" and explicitly deny them Read > > to the attributes, and then create a group of users who have explicit > > allow > > to read the same attribute. This follows standard AD security so play > > around > > with it. > > > This site has the mappings of the attribute display names to the LDAP > > names:http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this > > matching > > up exactly with the attribute name in ADUC (from the steps above) but the > > names are close. > > > Let me know how you make out, or if you end up not doing this because it's > > more complex than it's worth. > > > -- > > Regards, > > M > > MCTS, MCSA > > > "Alan" <bru...(a)gmail.com> wrote in message > > >news:4186712b-99ea-43b3-a386-d34c3174ed03(a)d27g2000yqn.googlegroups.com.... > > > > Hello, > > > > We need to hide the office address for a small number of vip users in > > > the GAL without changing the underlying value in AD. The office > > > addresses of everyone else has to remain visible as usual. > > > > I've suggested moving the data to a custom attribute for the vip users > > > and leaving their ordinary office address attribute empty. Any other > > > possible solutions pls? > > > > Exchange 2003 in a 2003 R2 domain with Outlook 2003. > > > > Thanks, > > > > - Alan. |