Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Can I hide an attribute of certain users only in the GAL without changing AD ?

1,164 views
Skip to first unread message

Alan

unread,
Feb 4, 2010, 3:44:26 PM2/4/10
to
Hello,

We need to hide the office address for a small number of vip users in
the GAL without changing the underlying value in AD. The office
addresses of everyone else has to remain visible as usual.

I've suggested moving the data to a custom attribute for the vip users
and leaving their ordinary office address attribute empty. Any other
possible solutions pls?

Exchange 2003 in a 2003 R2 domain with Outlook 2003.

Thanks,

- Alan.

Mark Arnold [MVP]

unread,
Feb 4, 2010, 4:56:11 PM2/4/10
to
On Thu, 4 Feb 2010 12:44:26 -0800 (PST), Alan <bru...@gmail.com>
wrote:

The GAL /is/ AD. It doesn't also exist somewhere else.
What's the point? Any employee can find out the office address of
these VIP users. They don't need to look at the GAL for that
information.

chriske911

unread,
Feb 5, 2010, 10:50:20 AM2/5/10
to
After serious thinking Alan wrote :
> Hello,

> Thanks,

> - Alan.

just an idea:
hide the account from showing up in GAL
then create a contact that looks similar

grtz


M

unread,
Feb 5, 2010, 1:12:30 PM2/5/10
to
Hello Alan:

I believe this can be done, but you must modify AD. Why would someone
request this??? It's the office address, not a personal home address or
phone number. I haven't done this myself, but I'm thinking that it can be
done by setting permissions on the "office address" attributes of the VIP
user objects. This will get you started:

1.) In ADUC, select View --> Advanced Features.
2.) Open up your user object properties --> Security tab --> Advanced -->
Highlight a random account --> Edit --> Properties tab --> scroll down to
"Read Street Address."

Now you see how specific attributes have their own permissions. This level
is very granular. I think if you deny a particular group/user, that account
won't be able to see the attribute in the GAL, since the GAL is just a GC
query. I think you can select "domain users" and explicitly deny them Read
to the attributes, and then create a group of users who have explicit allow
to read the same attribute. This follows standard AD security so play around
with it.

This site has the mappings of the attribute display names to the LDAP names:
http://www.selfadsi.org/user-attributes-w2k3.htm. I don't see this matching
up exactly with the attribute name in ADUC (from the steps above) but the
names are close.

Let me know how you make out, or if you end up not doing this because it's
more complex than it's worth.

--
Regards,
M
MCTS, MCSA

"Alan" <bru...@gmail.com> wrote in message
news:4186712b-99ea-43b3...@d27g2000yqn.googlegroups.com...

Alan

unread,
Feb 8, 2010, 11:02:38 AM2/8/10
to
Thanks a million for all the tips! Using the pointers, I found a this
great article which describes how to do something similar:

http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Access.aspx

Now the question is if there will be any side-effects in Outlook/
Exchange from hiding the office location ...

As for why, well 'cos the customer wants it that way.

M

unread,
Feb 8, 2010, 12:18:35 PM2/8/10
to
I used to read Bill's column in one of the magazines, but then he stopped
writing the column. Anyway, I skimmed through the article and it looks like
it'll be a big help to you. It looks like it's walking you through how to
change the permissions for a entire OU though, which doesn't seem like
something you'd want to do since you only have a handful of VIPs. You'd
probably want to change the permissions directly on each user object. You
could put the VIPs in a special OU and modify the permissions on the OU, but
that could get messy to have a special OU just for this.

--
Regards,
M
MCTS, MCSA

"Alan" <bru...@gmail.com> wrote in message

news:c41781f6-45a2-4858...@q16g2000yqq.googlegroups.com...

Alan

unread,
Feb 9, 2010, 2:44:13 PM2/9/10
to
Fortunately there aren't that many VIPs so yes, I can just change the
permissions on each user.

Thanks again. Much appreciated.

On Feb 8, 6:18 pm, "M" <m...@n.com> wrote:
> I used to read Bill's column in one of the magazines, but then he stopped
> writing the column. Anyway, I skimmed through the article and it looks like
> it'll be a big help to you. It looks like it's walking you through how to
> change the permissions for a entire OU though, which doesn't seem like
> something you'd want to do since you only have a handful of VIPs. You'd
> probably want to change the permissions directly on each user object. You
> could put the VIPs in a special OU and modify the permissions on the OU, but
> that could get messy to have a special OU just for this.
> --
> Regards,
> M
> MCTS, MCSA
>
> "Alan" <bru...@gmail.com> wrote in message
>
> news:c41781f6-45a2-4858...@q16g2000yqq.googlegroups.com...
> Thanks a million for all the tips! Using the pointers, I found a this
> great article which describes how to do something similar:
>

> http://mcpmag.com/Articles/2003/11/01/FineTuning-Active-Directory-Acc...

0 new messages