RE: [ActiveDir] AD attribute
This is basically what we were discussing in the last post I responded to earlier today. You need to pick an attribute, determine how the accesses are granted and think of a way to attack it. I would probably look at employeeID or employeeNumber, neither of which I believe are in property sets. The big thing you have to overcome would be the ACE for the Pre-W2K compatability access because you probably have that enabled. Luckily that access is granted through an inherited ACE from the domain root so you can insert a deny at that level to block that access. Now you need to regrant to any groups you want to see it (other than acc op, admins, etc who have explicit FCs anyway) by going to a lower level in the hierarchy and granting an inherited grant to the group you created of who should get access. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 1:38 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] AD attribute I'm running win2k in native mode. how would I do this in win2k AD? Thanks On 8/19/05, Marc A. Mapplebeck <[EMAIL PROTECTED]> wrote: > This is a step by step to add the attribute and extend the display > specifier to allow it to be modified. > http://www.informit.com/articles/article.asp?p=169630&rl=1 > Hope this helps - Marc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: August 19, 2005 13:55 > To: activedirectory > Subject: [ActiveDir] AD attribute > > My org wants to put social security #'s in AD as a user attrib(hidden > from users, of course) How would I go about doing this? > > Thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
In addition to the information provided below, you can refer to those articles (if you have an access ...): http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21839 http://www.win2000mag.com/Articles/Index.cfm?ArticleID=22540 http://www.winnetmag.com/Article/ArticleID/41666/41666.html /Alain Complete list of articles at http://www.lissware.net -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Marc A. Mapplebeck Sent: Friday, August 19, 2005 10:19 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] AD attribute This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630&rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
how 'bout the Employee-Number? or does that need to be linked via schema master? Thanks again On 8/19/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Return Receipt > >Your RE: [ActiveDir] AD attribute >document >: > >was Ricardo Konno/SCI >received >by: > >at: 19/08/2005 14:29:12 > > > > > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
I'm running win2k in native mode. how would I do this in win2k AD? Thanks On 8/19/05, Marc A. Mapplebeck <[EMAIL PROTECTED]> wrote: > This is a step by step to add the attribute and extend the display specifier > to allow it to be modified. > http://www.informit.com/articles/article.asp?p=169630&rl=1 > Hope this helps - Marc > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > Sent: August 19, 2005 13:55 > To: activedirectory > Subject: [ActiveDir] AD attribute > > My org wants to put social security #'s in AD as a user attrib(hidden from > users, of course) How would I go about doing this? > > Thanks > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx > List FAQ: http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
Re: [ActiveDir] AD attribute
Oh, yeah, is there a way to do this without altering the Schema? Like using an existing attirb? I don't have access to the Schema master(loong story) or anything in the root domain. And never will. On 8/19/05, Tom Kern <[EMAIL PROTECTED]> wrote: > I'm running win2k in native mode. > how would I do this in win2k AD? > > Thanks > > On 8/19/05, Marc A. Mapplebeck <[EMAIL PROTECTED]> wrote: > > This is a step by step to add the attribute and extend the display specifier > > to allow it to be modified. > > http://www.informit.com/articles/article.asp?p=169630&rl=1 > > Hope this helps - Marc > > > > -Original Message- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern > > Sent: August 19, 2005 13:55 > > To: activedirectory > > Subject: [ActiveDir] AD attribute > > > > My org wants to put social security #'s in AD as a user attrib(hidden from > > users, of course) How would I go about doing this? > > > > Thanks > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/List.aspx > > List FAQ: http://www.activedir.org/ListFAQ.aspx > > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
Return Receipt Your RE: [ActiveDir] AD attribute document : was Chris Ryan/MIS/CORP/KrogerCo received by: at: 08/19/2005 13:41:55 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
Return Receipt Your RE: [ActiveDir] AD attribute document : was Ricardo Konno/SCI received by: at: 19/08/2005 14:29:12 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
This is a step by step to add the attribute and extend the display specifier to allow it to be modified. http://www.informit.com/articles/article.asp?p=169630&rl=1 Hope this helps - Marc -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: August 19, 2005 13:55 To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD attribute
If you are running Windows Server 2003 SP1 I would investigate using the confidential attribute setting. Take a look at the "Confidential attributes" section of this resource http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/T echRef/e3525d00-a746-4466-bb87-140acb44a603.mspx for more details. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Friday, August 19, 2005 11:55 AM To: activedirectory Subject: [ActiveDir] AD attribute My org wants to put social security #'s in AD as a user attrib(hidden from users, of course) How would I go about doing this? Thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/