I have a custom attribute created in the "person" class in my Active Directory schema (2008 functional level) for Users.
It's a custom attribute intended to store a keycode that we consider confident, and as such, I've flagged it with the confidentiality bit.
We have a group of users responsible for viewing and setting values to this attribute. I don't want them to be Domain Admins in order to view this confidential attribute, so I granted them the "CONTROL_ACCESS" permission on all Users in AD to see this Attribute by running the dsacls command (but against all Users of course):
dsacls "CN=User1,OU=Users,DC=cafenet,DC=com" /G DOMAIN\AD_Conf_Group:CA;secretAttribute
That works fine. However, what I'm looking to get help on is granting this AD group ("AD_Conf_Group") permission by default
on any new User objects created.
I've read you need to set permissions on the defaultSecurityDescriptor,
but I can't find whether that is for the attribute itself, or only for the entire Class the attribute us part of ("person"), and how to actually make it work.
Is it done via dsacls, or in the GUI Active Directory Schema?
I just want to make sure the AD_Conf_Group has default permissions of CONTROL_ACCESS to the secret attribute going forward for any new user objects created...