Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Prevent reading extensionAttribute

437 views
Skip to first unread message

Steve Athanas

unread,
Aug 31, 2005, 3:56:42 PM8/31/05
to
Hi everyone, I hope this is a simple question, even if the the How-To
might be difficult.

I'm trying to prevent users other than a specific universal group, as
well as domain admins, from reading the data in the extensionAttribute1,
and extensionAttribute2 attributes on the user property in AD that
Exchange 2003 puts there when you install it.

The reason is that we have some sensitive data in that field, and as it
is now, anyone (Authenticated Users) can query using LDAP and suck that
information out, which happens to be priveleged HR information.

Anyway, is there a way we can deny read access to all but a few
explicitly allowed people or groups? Where is this done, and how?

Thanks for any assistance!

-Steve Athanas,
MCSE: Security, MCSE: Messaging
Enterprise Systems Engineer

Ed Crowley [MVP]

unread,
Aug 31, 2005, 6:11:50 PM8/31/05
to
Within Exchange you can hide that attribute from the address book by
modifying the address book template, although I don't think it displays by
default, does it?

As to applying permissions to the attributes, I recommend that you ask this
question in an active directory newsgroup.
--
Ed Crowley
MVP - Exchange
"Protecting the world from PSTs and brick backups!"

"Steve Athanas" <Please_jus...@group.com> wrote in message
news:%23lJ0cYm...@TK2MSFTNGP09.phx.gbl...

Andrew Sword [MVP]

unread,
Aug 31, 2005, 7:01:48 PM8/31/05
to
Try this link

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/3c5a4c51-cda8-46b4-be76-c49d7c1667c0.mspx


"Steve Athanas" <Please_jus...@group.com> wrote in message
news:%23lJ0cYm...@TK2MSFTNGP09.phx.gbl...

Steve Athanas

unread,
Sep 1, 2005, 9:06:19 AM9/1/05
to
Thanks for replying.

You're right, it doesn't show in the address book by default. My problem
is that we have a web app that does LDAP queries against our directory,
and it contains extensionAttributes 1 and 2 that have confidential
information in them, so hiding them isn't really enough, I have to find
a way to actually deny read permissions on it to the organization, save
the domain admins.

Thanks, though.

Steve Athanas

unread,
Sep 1, 2005, 9:10:24 AM9/1/05
to
Thanks for replying:

I had seen that information, but it doesn't look like what I want to do
can be done on that page. I don't want to modify the attribute's
replication to DCs or whether it's indexed. Instead, I want to prevent
people from using a utility such as LDP from reading thet value in that
field. Or prevent someone who gets a copy of AD Users and Computers from
looking at that attribute, unless they are a member of Domain Admins,
(or ideally, another group that management decides should have access.)

Any thoughts on that?

Thanks!

Lee Flight

unread,
Sep 1, 2005, 11:49:11 AM9/1/05
to
Hi

this looks like a case where you might be able to "Confidential Attributes":

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/TechRef/e3525d00-a746-4466-bb87-140acb44a603.mspx

and search for "Confidential Attributes"

Downsides are:

not that easy to use at present as there is very little in the way of tools
for setting the delegation

the attributes in question are part of the Exchange schema extension
and hiding from Exchange that which belongs to Exchange can be
problematic.

I think lots of testing would be in order and you may need to open
a case with Microsoft to get the delegation settings correct.

Lee Flight

"Steve Athanas" <Please_jus...@group.com> wrote in message

news:u57sEavr...@TK2MSFTNGP12.phx.gbl...

0 new messages