Setting the acl on the mail attribute in active directory

Hi guys,  hope you are all well and can help.

We have a need to limit modification of the e-mail address property  (ldap mail attribute) for all users in active directory.

What we need to do is this:
1) Give a group eg.Email admins, full control of all users' email address.
2) Restrict access to all other people eg.limit them to having read only on this mail attribute.

I have tried dsacls with no luck, and in the delegation control wizard, i cannot find this property.

Any help greatly appreciated.

The OU where all the users is is ad follows:

OU=Users,CN=net,CN=company

Thanks everyone.
LVL 1
Simon336697Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
Organizational and Recipient Exchange Groups have access to modify these settings by default. Domain Admins by default will have access to this attribute by default as well viewing it/changing it via Active Directory Users and Computer Properties of a specific account. As long as they are not part of either of these groups they should not be able to modify this setting unless you have made custom security groups and delegated control.

Will.
0
All Courses

From novice to tech pro — start learning today.