"Microsoft News Groups" <Ple***@UseGroup.com> wrote in message
news:usMETbFRGHA.6008@TK2MSFTNGP10.phx.gbl...
> We have an ADAM database we are setting up that we have created custom
> user attibutes for.  We have populated users into the directory and we
> want anonymous access to most user attibutes.  We have accomplish the
> anonymous access part by making the correct heuristics change and placing
> the NT Authority\Anonymous Logon in the Readers folders.  What we would
> like to do now is lock down a subset of the attributes so that only
> administrators or another group only has view or full control access to
> these.  Meaning we do not want Anonymous Logon users to see the values in
> these attibutes.    What is the best way to permission the ACLs so that I
> can acheive this.  I have used DSACLS to modify the attributes at the
> Schema level, but that does not seem to effect the display of those
> attributes for the users that have been created.  When I check the ACLS of
> the Users container it has Readers with General Read.  Even  a Deny of a
> particular attribute for Readers at the schema level does not seem to stop
> the display of the attribute of a user. Any thoughts or best practices.
> Basically what I want is almost global anonymous access to all user
> attributes except for a select few that has more sensitive data in it.
> This sensitive data will have a higher level group only access.
>
> thanks
>
> Rob
>

"Lee Flight" <l**@le.ac.uk-nospam> wrote in message
news:%23DzEzyFRGHA.4956@TK2MSFTNGP09.phx.gbl...
> Hi
>
> as you have opened up the security of the directory rather wide
> then if it is only a few attributes that you need to restrict access
> to you might be able to mark those attributes as confidential
> (searchFlags 128 on the attributeSchema and control_access
> right to read it).
>
> See the entry for "confidential attributes" at
>
> http://technet2.microsoft.com/WindowsServer/en/Library/e3525d00-a746-4466-bb87-140acb44a6031033.mspx
>
> and also the blog entry:
>
> http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx
>
> also read the comments on the blog entry; in particular you cannot use
> dsacls to set the control access right as the Technet article would have
> you believe you need to use the ADAM SP1 version of ldp.exe.
> Of course you should only try this in a test environment first.
>
> Lee Flight
>
> "Microsoft News Groups" <Ple***@UseGroup.com> wrote in message
> news:usMETbFRGHA.6008@TK2MSFTNGP10.phx.gbl...
>> We have an ADAM database we are setting up that we have created custom
>> user attibutes for.  We have populated users into the directory and we
>> want anonymous access to most user attibutes.  We have accomplish the
>> anonymous access part by making the correct heuristics change and placing
>> the NT Authority\Anonymous Logon in the Readers folders.  What we would
>> like to do now is lock down a subset of the attributes so that only
>> administrators or another group only has view or full control access to
>> these.  Meaning we do not want Anonymous Logon users to see the values in
>> these attibutes.    What is the best way to permission the ACLs so that I
>> can acheive this.  I have used DSACLS to modify the attributes at the
>> Schema level, but that does not seem to effect the display of those
>> attributes for the users that have been created.  When I check the ACLS
>> of the Users container it has Readers with General Read.  Even  a Deny of
>> a particular attribute for Readers at the schema level does not seem to
>> stop the display of the attribute of a user. Any thoughts or best
>> practices. Basically what I want is almost global anonymous access to all
>> user attributes except for a select few that has more sensitive data in
>> it. This sensitive data will have a higher level group only access.
>>
>> thanks
>>
>> Rob
>>
>
>