From: Alan on
Fortunately there aren't that many VIPs so yes, I can just change the
permissions on each user.

Thanks again. Much appreciated.

On Feb 8, 6:18 pm, "M" <m...(a)n.com> wrote:
> I used to read Bill's column in one of the magazines, but then he stopped
> writing the column. Anyway, I skimmed through the article and it looks like
> it'll be a big help to you. It looks like it's walking you through how to
> change the permissions for a entire OU though, which doesn't seem like
> something you'd want to do since you only have a handful of VIPs. You'd
> probably want to change the permissions directly on each user object. You
> could put the VIPs in a special OU and modify the permissions on the OU, but
> that could get messy to have a special OU just for this.
> --
> Regards,
> M
> MCTS, MCSA
>
> "Alan" <bru...(a)gmail.com> wrote in message
>
> news:c41781f6-45a2-4858-8150-cc15ac72532a(a)q16g2000yqq.googlegroups.com...
> Thanks a million for all the tips! Using the pointers, I found a this
> great article which describes how to do something similar:
>
> http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Acc...
>
> Now the question is if there will be any side-effects in Outlook/
> Exchange from hiding the office location ...
>
> As for why, well 'cos the customer wants it that way.
>
> On Feb 5, 7:12 pm, "M" <m...(a)n.com> wrote:
>
> > Hello Alan:
>
> > I believe this can be done, but you must modify AD. Why would someone
> > request this??? It's the office address, not a personal home address or
> > phone number. I haven't done this myself, but I'm thinking that it can be
> > done by setting permissions on the "office address" attributes of the VIP
> > user objects. This will get you started:
>
> > 1.) In ADUC, select View --> Advanced Features.
> > 2.) Open up your user object properties --> Security tab --> Advanced -->
> > Highlight a random account --> Edit --> Properties tab --> scroll down to
> > "Read Street Address."
>
> > Now you see how specific attributes have their own permissions. This level
> > is very granular. I think if you deny a particular group/user, that
> > account
> > won't be able to see the attribute in the GAL, since the GAL is just a GC
> > query. I think you can select "domain users" and explicitly deny them Read
> > to the attributes, and then create a group of users who have explicit
> > allow
> > to read the same attribute. This follows standard AD security so play
> > around
> > with it.
>
> > This site has the mappings of the attribute display names to the LDAP
> > names:http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this
> > matching
> > up exactly with the attribute name in ADUC (from the steps above) but the
> > names are close.
>
> > Let me know how you make out, or if you end up not doing this because it's
> > more complex than it's worth.
>
> > --
> > Regards,
> > M
> > MCTS, MCSA
>
> > "Alan" <bru...(a)gmail.com> wrote in message
>
> >news:4186712b-99ea-43b3-a386-d34c3174ed03(a)d27g2000yqn.googlegroups.com....
>
> > > Hello,
>
> > > We need to hide the office address for a small number of vip users in
> > > the GAL without changing the underlying value in AD. The office
> > > addresses of everyone else has to remain visible as usual.
>
> > > I've suggested moving the data to a custom attribute for the vip users
> > > and leaving their ordinary office address attribute empty. Any other
> > > possible solutions pls?
>
> > > Exchange 2003 in a 2003 R2 domain with Outlook 2003.
>
> > > Thanks,
>
> > > - Alan.

First  |  Prev  | 
Pages: 1 2
Prev: Will this help?
Next: MailboxRegionalConfiguration