Stephen, The answers to almost all your questions lie in the realm of access control lists (ACLs). The security mechanisms in AD are quite flexible; you can control access down to specific attributes, operations, and users. To answer your specific questions... 1. Use ACLs to make the information unavailable. 2. Use ACLs to make the information unavailable. 3. Yes 4. Yes, although these are not "permissions on the search feature". You use ACLs to grant update access to SELF, and deny update access to everyone else.
I think there are ways to configure ADUC to display only certain attributes, but I don't know much about that. Someone else on the list certainly can comment. The best reference I think is the Distributed Systems Guide in the Windows 2000 Server Resource Kit, Chapter 12 "Access Control". You can read it online starting at http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/ windows2000/techinfo/reskit/en-us/distrib/dsce_ctl_MFXC.asp?frame=true . There are certainly other articles and white papers and such, but the DSG explains how all the machinery works, which I think is important to figuring what you can and can't do. -gil -----Original Message----- From: Bell, Stephen [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 02, 2003 12:46 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] Controlling information shared/viewable by Active Directory Three part question for the group. One of the good things about AD is the ability to use it to centralize information about users and providing an access method for other users. By filling in the fields in the ADUC - first name, last name, phone number, email address etc, you make this information available to others via AD. Anyone in the domain or forest can access this information by going to (using XP or 2000) the search feature and looking in Active Directory. Like I said. This is a good thing. My question is how do you control it? First. If you have information in the ADUC that you only want selected individuals to access, how do you configure it so that it is not viewable by users using the search feature? Second. If you have specific users you do NOT want to be viewable at all in the search feature, how do you block that? Third. If you have multiple domains, can you set the security in such a way as to block what other domains would see? For instance, in my domain I may want the users to be able to see all the information, but when users from other domains search, they should only be able to see the name, phone number, and email address. A fourth bonus question. Is it possible to set the permission on the search feature so that users if they look up their own information can modify it, but no one else (other than administrators of course) can change it? I'm assuming that all of this is possible via security settings, but I don't know where. A guide to the where these specific information can be found would also be great. Any help would be greatly appreciated. Cheers Steve List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/