RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message
This
is what I run - it assumes a SQL database containing tables staff (basic
personal details) and tel_staff (phone numbers)
Our
user IDs are the same as the payroll numbers (which makes this easy!) and the
function GetAdsPath returns the path if the user exists or "not found" if they
don't exist (some members of staff don't have network accounts). Some staff have
more than one phone number, hence the check to see if it's the second time a
user has been found. Clearnull is a function which checks for NULL and replaces
it with N/A (because things fall over in AD if you try and set values to
NULL!)
Steve
sql="select department,section,
jobtitle,staff.staff_no,ext, surname from staff left join tel_staff on
tel_staff.staff_no=staff.staff_no" RS2.Open
sql,db2 Do While Not
RS2.EOF
id=trim(rs2("staff_no"))
ext=clearnull(trim(rs2("ext"))) If
idoldid Then
strUserPath=GetAdsPath(rs2("staff_no"))
If strUserPath "Not Found" And id oldID
Then Set
usr=getobject(strUserPath)
usr.telephonenumber=ext
usr.title=clearnull(rs2("jobtitle"))
usr.company=clearnull(rs2("department"))
usr.department=clearnull(rs2("section"))
usr.setinfo End
If
Else
usr.telephonenumber=usr.telephonenumber "/"
ext
usr.setinfo End
If oldid=id
rs2.MoveNext Loop
RS2.Close
-Original Message-From: Duncan, Larry
[mailto:[EMAIL PROTECTED] Sent: 18 July 2003 20:22To:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Any chance of you
sharing the skeleton of the script?
-Original
Message-From: Ken
Cornetet [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:40
PMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
I solved this
problem the easy way by writing a perl program to read user information (phone
number, address, etc) out of our master HR database and compare it to what's
in AD. If it's different, AD gets updated. This runs every few
hours.
Users can change
their AD info all they want, but in a couple of hours, it goes back to what we
want.
-Original
Message-From: Rogers,
Brian [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:08
PMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Yea...they
exist..but for the 50 thousand dollar pricetag on them (for even our small
environment)...we couldn't justify the cost.
-Original
Message-From: Joe
[mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:31
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
True
to your overall statement, if you lock things down and only allow updates
through interfaces with business rules you can completely control what goes
out there.
I am
curious about your initial statement, are you saying you have something that
injects into the AD internal processes and will inflict business rules on
updates irregardless of source? I wasn't aware anyone had something like
that but fully figured someone would do it if MS didn't. OR are you simply
saying what I said above, you lock things down and only allow updates
through interfaces with business rules?
-Original
Message-From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Hazelman,
DougSent: Friday, July
18, 2003 4:29 AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Joe,
There are
plug third party tools that do allow you to define "rules" for
property validation that are enforced on the server side and not the
client side so that they can't be bypassed.You can define that
the phone number must be in the format (xxx) xxx- and it will not
allow x to be anything but numeric. This formatis OK if you're
a North America only company, it gets more complex if you need to support
multiple country phone number formats. These tools also allow for a
simplified and customizable web interfacefor users to go to for
making the change themselves /plug.
-doug
Director of
Product Management
Aelita
Software
From: Joe
[mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down
User Information Fields in AD
Oops
I missed that piece. TelephoneNumber is type 2.5.5.12 which is case
insensitive unicode string. You need that because people want to put in (
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message When you say they do you mean tools that inject into the internal processes and add business rule logic or as Doug indicated, simply applies locks down and business rules are applied through an approved update interface. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rogers, BrianSent: Friday, July 18, 2003 1:08 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Yea...they exist..but for the 50 thousand dollar pricetag on them (for even our small environment)...we couldn't justify the cost. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:31 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 4:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define "rules" for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Joe, There are plug third party tools that do allow you to define "rules" for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 4:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define "rules" for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Lock things down and only allow updates through interfaces with business rules. -doug From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 4:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define "rules" for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Ah ok, thanks for the clarification. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 11:38 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Lock things down and only allow updates through interfaces with business rules. -doug From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:31 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, DougSent: Friday, July 18, 2003 4:29 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define "rules" for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Not an expert but I think there is a soln to this - If you are running W2K3 Server there is a new feature called the Authorization Manager - If you are running IIS 6.0 you can program rules/scopes etc using the AuthZ Manager - This would allow you to dynamically determine what a user could do/update etc if you used ASP or what have you More info on AuthZ Manager at: http://support.microsoft.com/default.aspx?scid=kb;en-us;324470 http://msdn.microsoft.com/library/default.asp?url=""> Introduction To perform the tasks that they are designed for, applications must carry out operations and access system resources on behalf of the application's user while protecting these operations and resources from unauthorized access. With Microsoft Windows NT, Windows 2000 and Windows XP operating systems, administrators can control whether a process can access securable objects or perform various system administration tasks. This control is provided through an object-centric authorization model using access control lists (ACL). Each system object has an associated list of trustees (user account, group account, or logon session) with specific sets of rights for that object. This model lends itself well to securing access to well-defined, persistent resources. However, ACLs can be unnatural for other types of applications, such as those that restrict access to specific business processes. Windows Server2003, introduces a complementary authorization interface, called Authorization Manager, which includes role-based access control. Authorization Manager provides a natural framework for business process applications that require representing the organizational model within the application security framework. For these types of applications, this new set of APIs and management tools allows for simpler application design and application security management. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Friday, July 18, 2003 9:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Ah ok, thanks for the clarification. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, Doug Sent: Friday, July 18, 2003 11:38 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Lock things down and only allow updates through interfaces with business rules. -doug From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, Doug Sent: Friday, July 18, 2003 4:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define rules for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 17, 2003 1:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Any chance of you sharing the skeleton of the script? -Original Message- From: Ken Cornetet [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:40 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD I solved this problem the easy way by writing a perl program to read user information (phone number, address, etc) out of our master HR database and compare it to what's in AD. If it's different, AD gets updated. This runs every few hours. Users can change their AD info all they want, but in a couple of hours, it goes back to what we want. -Original Message- From: Rogers, Brian [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 12:08 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Yea...they exist..but for the 50 thousand dollar pricetag on them (for even our small environment)...we couldn't justify the cost. -Original Message- From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 11:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD True to your overall statement, if you lock things down and only allow updates through interfaces with business rules you can completely control what goes out there. I am curious about your initial statement, are you saying you have something that injects into the AD internal processes and will inflict business rules on updates irregardless of source? I wasn't aware anyone had something like that but fully figured someone would do it if MS didn't. OR are you simply saying what I said above, you lock things down and only allow updates through interfaces with business rules? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hazelman, Doug Sent: Friday, July 18, 2003 4:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Joe, There are plug third party tools that do allow you to define rules for property validation that are enforced on the server side and not the client side so that they can't be bypassed.You can define that the phone number must be in the format (xxx) xxx- and it will not allow x to be anything but numeric. This formatis OK if you're a North America only company, it gets more complex if you need to support multiple country phone number formats. These tools also allow for a simplified and customizable web interfacefor users to go to for making the change themselves /plug. -doug Director of Product Management Aelita Software From: Joe [mailto:[EMAIL PROTECTED] Sent: Friday, July 18, 2003 8:33 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, July 17, 2003 1:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSB Sent: Wednesday, July 16, 2003 9:27 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Joe/Rick, Sorry for the double post;-) I was also surprised that the phone field is not numeric only, I always had more perplexing issues to worry about, rather than if some end user is gonna list their phone number as 1-800-eat-pooh,(which now that I know I can do this, I might make that my phone #;-)but it is indeed alpha-numberic. You did answer my question... This was one of those "It would be nice if.." requests. I am going to play around with this in our lab and I'll let you know how it goes. Thanks, -Tim From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED] Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Oops I missed that piece. TelephoneNumber is type 2.5.5.12 which is case insensitive unicode string. You need that because people want to put in () and -. unfortunately they can also add other letters/characters. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, July 17, 2003 1:14 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Sure. I just posted a message here already about delegating computer object stuff, but the user object stuff is pretty much the same. Let's say you don't want your users to change their phone number, for example. One point on this example - by default, all users have the right (or more appropriately - the permission) to modify their OWN information, so we'll need to take it away. 1. Go to the Domain or OU level of choice, right click / properties / Security / Advanced UI 2. If not already there, add the SELF principal. Makes life easier - see caveat [1] 3.Selectthe Properties tab, 'Applyonto:'andchooseUserObject 4.Check in the DENY column fields that you do not want the user to be able to Write to - the will still be able to View it. 5. Apply /OK / OK should get it done. [1] Caveat - make sure that you plan this carefully. SELF is great for this, unless you REALLY want to assign this explicitly to each and every user. Denys, as always are very nasty and a misplaced one can be very hard to track down. Apply this on to an OU for your users, leaving the Administrative accounts unscathed. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 2:41 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Sorry Rick this won't really work this easily. The problem is that MS in their infinite wisdom (sorry this is one of thosesore spots with me) made lots of permissions part of the default sd for a given object. With user objects self gets rights on several property sets - Personal Information, Phone and Mail Options, Web Information. Because these default sd's get applied directly to the object combined with the fact that inheritedacesdo not overpower explicit aces (unless you have a 3 kings and a deuce) you can't trump the explicit grant of access to say address (which is in personal information property set) with an inherited deny. The only way to correct this is to (and not necessarily in this order) a. apply a deny ace for every property you want denied on every user object you want it denied on b. remove the self grant personal information ace and then add a new ace for any attributes in pers-inf you want the user to modify. Note that you really need to understand what is in the property set before you remove it so you know what you are breaking... like user certs for instance... I don't really recommend A and if you do B you will want to do the corresponding Schema update to modify the default SD for the object so you don't have to keep doing it for all the new users. exchange vent This is one of the many reasons why Exchange 2K Granular delegation is such a royal pain in the arse. Take a look at the public information property set and what you need to do basic Exchange mailbox support work such as deleting (disconnecting), reconnecting, and moving. If you have a setup where you want E2K admins to not dork with non-exchange attributes you have to add a bazillion aces (*slight* inflation of truth)tothe containers where user objects reside.Then in the meanwhile anybright exchange admin realizes they can give themselves more access by simply using an Exchange server to add themselves to an Exchange Server group and bypass your delegation because if you modify the delegation to the "main" Exchange Server/Services groups, you are no longer supported by MS. /exchange vent dream weaver sequence I would love to have seen less default perms given in the default sd's. Also I would like to see a separate workstation and server computer object so you can have different default sd's and inherited perms for them. Heck while I'm at it... I want operatingSystemHotfix to be updated on computer objects automatically (and make it multivalued)or at least someone to publish the format it will be using when it is published so I can write something to do it in the meanwhile... As joe patches for MS03-26. /dream weaver sequence -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, July 16, 2003 7:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Sure. I just posted a message here already about delegating computer object stuff, but the user object stuff is pretty much the same. Let's say you don't want your users to change their phone number, for example. One point on this example - by default, all users have the right (or more appropriately - the permission) to modify their OWN information, so we'll need to take it away. 1. Go to the Domain or OU level of choice, right click / properties / Security / Advanced UI 2. If not already there, add the SELF principal. Makes life easier - see caveat [1] 3.Selectthe Properties tab, 'Applyonto:'andchooseUserObject 4.Check in the DENY column fields that you do not want the user to be able to Write to - the will still be able to View it. 5. Apply /OK / OK should get it done. [1] Caveat - make sure that you plan this carefully. SELF is great for this, unless you REALLY want to assign this explicitly to each and every user. Denys, as always are very nasty and a misplaced one can be very hard to track down. Apply this on to an OU for your users, leaving the Administrative accounts unscathed. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 2:41 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Maybe someone can indicate how to restrict the field to numeric only (it's not already??? Huh - never tried, I guess.), I suspect it's a schema mod - but I thought that I answered the rest of the question, did I not? Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wright, T. MR NSSBSent: Wednesday, July 16, 2003 9:27 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] Locking Down User Information Fields in AD Just curious how I would go about stopping a user from being able to update their address, website, etcunder their own account.AD... Basically I want them only to be able to update their own phone # and nothing else and I would also like to force it to be strictly a numeric only field (which it isn't by default.) Any ideas?? Thanks, -Tim
RE: [ActiveDir] Locking Down User Information Fields in AD
Title: Message Huh. Tried it before I posted the information. Worked here - I best go check the DC. It might have gone up in a mushroom cloud as I've violated Microsoft force of will. :-p Well, then, folks - don't do this. Pester MS to let you control your own data. Hopefully in the next 3 - 4 years, we can get some traction on that one.. Yeah, right. :-/ Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of JoeSent: Wednesday, July 16, 2003 11:40 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Sorry Rick this won't really work this easily. The problem is that MS in their infinite wisdom (sorry this is one of thosesore spots with me) made lots of permissions part of the default sd for a given object. With user objects self gets rights on several property sets - Personal Information, Phone and Mail Options, Web Information. Because these default sd's get applied directly to the object combined with the fact that inheritedacesdo not overpower explicit aces (unless you have a 3 kings and a deuce) you can't trump the explicit grant of access to say address (which is in personal information property set) with an inherited deny. The only way to correct this is to (and not necessarily in this order) a. apply a deny ace for every property you want denied on every user object you want it denied on b. remove the self grant personal information ace and then add a new ace for any attributes in pers-inf you want the user to modify. Note that you really need to understand what is in the property set before you remove it so you know what you are breaking... like user certs for instance... I don't really recommend A and if you do B you will want to do the corresponding Schema update to modify the default SD for the object so you don't have to keep doing it for all the new users. exchange vent This is one of the many reasons why Exchange 2K Granular delegation is such a royal pain in the arse. Take a look at the public information property set and what you need to do basic Exchange mailbox support work such as deleting (disconnecting), reconnecting, and moving. If you have a setup where you want E2K admins to not dork with non-exchange attributes you have to add a bazillion aces (*slight* inflation of truth)tothe containers where user objects reside.Then in the meanwhile anybright exchange admin realizes they can give themselves more access by simply using an Exchange server to add themselves to an Exchange Server group and bypass your delegation because if you modify the delegation to the "main" Exchange Server/Services groups, you are no longer supported by MS. /exchange vent dream weaver sequence I would love to have seen less default perms given in the default sd's. Also I would like to see a separate workstation and server computer object so you can have different default sd's and inherited perms for them. Heck while I'm at it... I want operatingSystemHotfix to be updated on computer objects automatically (and make it multivalued)or at least someone to publish the format it will be using when it is published so I can write something to do it in the meanwhile... As joe patches for MS03-26. /dream weaver sequence -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Wednesday, July 16, 2003 7:58 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Locking Down User Information Fields in AD Sure. I just posted a message here already about delegating computer object stuff, but the user object stuff is pretty much the same. Let's say you don't want your users to change their phone number, for example. One point on this example - by default, all users have the right (or more appropriately - the permission) to modify their OWN information, so we'll need to take it away. 1. Go to the Domain or OU level of choice, right click / properties / Security / Advanced UI 2. If not already there, add the SELF principal. Makes life easier - see caveat [1] 3.Selectthe Properties tab, 'Applyonto:'andchooseUserObject 4.Check in the DENY column fields that you do not want the user to be able to Write to - the will still be able to View it. 5. Apply /OK / OK should get it done. [1] Caveat - make sure that you plan this carefully. SELF is great for this, unless you REALLY want to assign this explicitly to each and every user. Denys, as always are very nasty and a misplaced one can be very hard to track down. Apply this on to an OU for your users, leaving the Administrative accounts unscathed. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone
