Can I hide an attribute of certain users only in the GAL without changing AD ?
in [Microsoft Exchange]
|
Prev: Will this help?
Next: MailboxRegionalConfiguration
From: Alan on 4 Feb 2010 15:44 Hello, We need to hide the office address for a small number of vip users in the GAL without changing the underlying value in AD. The office addresses of everyone else has to remain visible as usual. I've suggested moving the data to a custom attribute for the vip users and leaving their ordinary office address attribute empty. Any other possible solutions pls? Exchange 2003 in a 2003 R2 domain with Outlook 2003. Thanks, - Alan.
From: chriske911 on 5 Feb 2010 10:50 After serious thinking Alan wrote : > Hello, > We need to hide the office address for a small number of vip users in > the GAL without changing the underlying value in AD. The office > addresses of everyone else has to remain visible as usual. > I've suggested moving the data to a custom attribute for the vip users > and leaving their ordinary office address attribute empty. Any other > possible solutions pls? > Exchange 2003 in a 2003 R2 domain with Outlook 2003. > Thanks, > - Alan. just an idea: hide the account from showing up in GAL then create a contact that looks similar grtz
From: M on 5 Feb 2010 13:12 Hello Alan: I believe this can be done, but you must modify AD. Why would someone request this??? It's the office address, not a personal home address or phone number. I haven't done this myself, but I'm thinking that it can be done by setting permissions on the "office address" attributes of the VIP user objects. This will get you started: 1.) In ADUC, select View --> Advanced Features. 2.) Open up your user object properties --> Security tab --> Advanced --> Highlight a random account --> Edit --> Properties tab --> scroll down to "Read Street Address." Now you see how specific attributes have their own permissions. This level is very granular. I think if you deny a particular group/user, that account won't be able to see the attribute in the GAL, since the GAL is just a GC query. I think you can select "domain users" and explicitly deny them Read to the attributes, and then create a group of users who have explicit allow to read the same attribute. This follows standard AD security so play around with it. This site has the mappings of the attribute display names to the LDAP names: http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this matching up exactly with the attribute name in ADUC (from the steps above) but the names are close. Let me know how you make out, or if you end up not doing this because it's more complex than it's worth. -- Regards, M MCTS, MCSA "Alan" <bruguy(a)gmail.com> wrote in message news:4186712b-99ea-43b3-a386-d34c3174ed03(a)d27g2000yqn.googlegroups.com... > Hello, > > We need to hide the office address for a small number of vip users in > the GAL without changing the underlying value in AD. The office > addresses of everyone else has to remain visible as usual. > > I've suggested moving the data to a custom attribute for the vip users > and leaving their ordinary office address attribute empty. Any other > possible solutions pls? > > Exchange 2003 in a 2003 R2 domain with Outlook 2003. > > Thanks, > > - Alan.
From: Alan on 8 Feb 2010 11:02 Thanks a million for all the tips! Using the pointers, I found a this great article which describes how to do something similar: http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Access.aspx Now the question is if there will be any side-effects in Outlook/ Exchange from hiding the office location ... As for why, well 'cos the customer wants it that way. On Feb 5, 7:12 pm, "M" <m...(a)n.com> wrote: > Hello Alan: > > I believe this can be done, but you must modify AD. Why would someone > request this??? It's the office address, not a personal home address or > phone number. I haven't done this myself, but I'm thinking that it can be > done by setting permissions on the "office address" attributes of the VIP > user objects. This will get you started: > > 1.) In ADUC, select View --> Advanced Features. > 2.) Open up your user object properties --> Security tab --> Advanced --> > Highlight a random account --> Edit --> Properties tab --> scroll down to > "Read Street Address." > > Now you see how specific attributes have their own permissions. This level > is very granular. I think if you deny a particular group/user, that account > won't be able to see the attribute in the GAL, since the GAL is just a GC > query. I think you can select "domain users" and explicitly deny them Read > to the attributes, and then create a group of users who have explicit allow > to read the same attribute. This follows standard AD security so play around > with it. > > This site has the mappings of the attribute display names to the LDAP names:http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this matching > up exactly with the attribute name in ADUC (from the steps above) but the > names are close. > > Let me know how you make out, or if you end up not doing this because it's > more complex than it's worth. > > -- > Regards, > M > MCTS, MCSA > > "Alan" <bru...(a)gmail.com> wrote in message > > news:4186712b-99ea-43b3-a386-d34c3174ed03(a)d27g2000yqn.googlegroups.com... > > > Hello, > > > We need to hide the office address for a small number of vip users in > > the GAL without changing the underlying value in AD. The office > > addresses of everyone else has to remain visible as usual. > > > I've suggested moving the data to a custom attribute for the vip users > > and leaving their ordinary office address attribute empty. Any other > > possible solutions pls? > > > Exchange 2003 in a 2003 R2 domain with Outlook 2003. > > > Thanks, > > > - Alan. > >
From: M on 8 Feb 2010 12:18
I used to read Bill's column in one of the magazines, but then he stopped writing the column. Anyway, I skimmed through the article and it looks like it'll be a big help to you. It looks like it's walking you through how to change the permissions for a entire OU though, which doesn't seem like something you'd want to do since you only have a handful of VIPs. You'd probably want to change the permissions directly on each user object. You could put the VIPs in a special OU and modify the permissions on the OU, but that could get messy to have a special OU just for this. -- Regards, M MCTS, MCSA "Alan" <bruguy(a)gmail.com> wrote in message news:c41781f6-45a2-4858-8150-cc15ac72532a(a)q16g2000yqq.googlegroups.com... Thanks a million for all the tips! Using the pointers, I found a this great article which describes how to do something similar: http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Access.aspx Now the question is if there will be any side-effects in Outlook/ Exchange from hiding the office location ... As for why, well 'cos the customer wants it that way. On Feb 5, 7:12 pm, "M" <m...(a)n.com> wrote: > Hello Alan: > > I believe this can be done, but you must modify AD. Why would someone > request this??? It's the office address, not a personal home address or > phone number. I haven't done this myself, but I'm thinking that it can be > done by setting permissions on the "office address" attributes of the VIP > user objects. This will get you started: > > 1.) In ADUC, select View --> Advanced Features. > 2.) Open up your user object properties --> Security tab --> Advanced --> > Highlight a random account --> Edit --> Properties tab --> scroll down to > "Read Street Address." > > Now you see how specific attributes have their own permissions. This level > is very granular. I think if you deny a particular group/user, that > account > won't be able to see the attribute in the GAL, since the GAL is just a GC > query. I think you can select "domain users" and explicitly deny them Read > to the attributes, and then create a group of users who have explicit > allow > to read the same attribute. This follows standard AD security so play > around > with it. > > This site has the mappings of the attribute display names to the LDAP > names:http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this > matching > up exactly with the attribute name in ADUC (from the steps above) but the > names are close. > > Let me know how you make out, or if you end up not doing this because it's > more complex than it's worth. > > -- > Regards, > M > MCTS, MCSA > > "Alan" <bru...(a)gmail.com> wrote in message > > news:4186712b-99ea-43b3-a386-d34c3174ed03(a)d27g2000yqn.googlegroups.com... > > > Hello, > > > We need to hide the office address for a small number of vip users in > > the GAL without changing the underlying value in AD. The office > > addresses of everyone else has to remain visible as usual. > > > I've suggested moving the data to a custom attribute for the vip users > > and leaving their ordinary office address attribute empty. Any other > > possible solutions pls? > > > Exchange 2003 in a 2003 R2 domain with Outlook 2003. > > > Thanks, > > > - Alan. > > |