Garry Shape
asked on
AD Custom Attribute with confidential bit - add security group to read it?
I've used LDP to connect/bind to AD and added a DACL ACE on an OU that says my domain\TestGroup can have read access to an attribute that is flagged as confidential bit.
However, when I go to query that attribute on a user within that OU as a user that's a member of this TestGroup, I'm unable to pull the attribute.
Does the ACE not work if it's a confidential bit flagged custom attribute?
However, when I go to query that attribute on a user within that OU as a user that's a member of this TestGroup, I'm unable to pull the attribute.
Does the ACE not work if it's a confidential bit flagged custom attribute?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Yes you will if you are taking into account inheritance of ACE depending on the account pool to access the attributes
https://support.microsoft.com/en-gb/kb/922836
In a large domain, it is not practical to manually assign control access to a user or to a group for every object that has a confidential attribute. The solution is to use inheritance to set an inheritable access control entry that is higher in the container hierarchy. This access control entry applies to all child objects of that container.
By default, inheritance is enabled for all organizational units (OU) and for all user accounts, except for the built-in administrator account. If you create user accounts that have inheritance disabled or if you create administrative accounts by copying the built-in administrator account, you must enable inheritance for these accounts. Otherwise, the inheritance model does not apply to these accounts.
ASKER