Confidentiality bit and defaultSecurityDescriptor assistance

I have a custom attribute created in the "person" class in my Active Directory schema (2008 functional level) for Users.
It's a custom attribute intended to store a keycode that we consider confident, and as such, I've flagged it with the confidentiality bit.

We have a group of users responsible for viewing and setting values to this attribute. I don't want them to be Domain Admins in order to view this confidential attribute, so I granted them the "CONTROL_ACCESS" permission on all Users in AD to see this Attribute by running the dsacls command (but against all Users of course):

dsacls "CN=User1,OU=Users,DC=cafenet,DC=com" /G DOMAIN\AD_Conf_Group:CA;secretAttribute

Open in new window

That works fine. However, what I'm looking to get help on is granting this AD group ("AD_Conf_Group") permission by default on any new User objects created.

I've read you need to set permissions on the defaultSecurityDescriptor, but I can't find whether that is for the attribute itself, or only for the entire Class the attribute us part of ("person"), and how to actually make it work.

Is it done via dsacls, or in the GUI Active Directory Schema?
I just want to make sure the AD_Conf_Group has default permissions of CONTROL_ACCESS to the secret attribute going forward for any new user objects created...
garryshapeAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jeremy WeisingerSenior Network Consultant / EngineerCommented:
My guess is that it can be done with ADSIedit connecting to the Schema container.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.