From: Alan on 9 Feb 2010 14:44
Fortunately there aren't that many VIPs so yes, I can just change the
permissions on each user.
Thanks again. Much appreciated.
On Feb 8, 6:18 pm, "M" <m...(a)n.com> wrote:
> I used to read Bill's column in one of the magazines, but then he stopped
> writing the column. Anyway, I skimmed through the article and it looks like
> it'll be a big help to you. It looks like it's walking you through how to
> change the permissions for a entire OU though, which doesn't seem like
> something you'd want to do since you only have a handful of VIPs. You'd
> probably want to change the permissions directly on each user object. You
> could put the VIPs in a special OU and modify the permissions on the OU, but
> that could get messy to have a special OU just for this.
> MCTS, MCSA
> "Alan" <bru...(a)gmail.com> wrote in message
> Thanks a million for all the tips! Using the pointers, I found a this
> great article which describes how to do something similar:
> Now the question is if there will be any side-effects in Outlook/
> Exchange from hiding the office location ...
> As for why, well 'cos the customer wants it that way.
> On Feb 5, 7:12 pm, "M" <m...(a)n.com> wrote:
> > Hello Alan:
> > I believe this can be done, but you must modify AD. Why would someone
> > request this??? It's the office address, not a personal home address or
> > phone number. I haven't done this myself, but I'm thinking that it can be
> > done by setting permissions on the "office address" attributes of the VIP
> > user objects. This will get you started:
> > 1.) In ADUC, select View --> Advanced Features.
> > 2.) Open up your user object properties --> Security tab --> Advanced -->
> > Highlight a random account --> Edit --> Properties tab --> scroll down to
> > "Read Street Address."
> > Now you see how specific attributes have their own permissions. This level
> > is very granular. I think if you deny a particular group/user, that
> > account
> > won't be able to see the attribute in the GAL, since the GAL is just a GC
> > query. I think you can select "domain users" and explicitly deny them Read
> > to the attributes, and then create a group of users who have explicit
> > allow
> > to read the same attribute. This follows standard AD security so play
> > around
> > with it.
> > This site has the mappings of the attribute display names to the LDAP
> > names:http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this
> > matching
> > up exactly with the attribute name in ADUC (from the steps above) but the
> > names are close.
> > Let me know how you make out, or if you end up not doing this because it's
> > more complex than it's worth.
> > --
> > Regards,
> > M
> > MCTS, MCSA
> > "Alan" <bru...(a)gmail.com> wrote in message
> > > Hello,
> > > We need to hide the office address for a small number of vip users in
> > > the GAL without changing the underlying value in AD. The office
> > > addresses of everyone else has to remain visible as usual.
> > > I've suggested moving the data to a custom attribute for the vip users
> > > and leaving their ordinary office address attribute empty. Any other
> > > possible solutions pls?
> > > Exchange 2003 in a 2003 R2 domain with Outlook 2003.
> > > Thanks,
> > > - Alan.