David Harbaugh
asked on
How to allow group to access Custom Attirbute with confidential bit set
We are attempting to add permission to an Active Directory service account to read a custom attribute in our Active Directory schema that has the confidential bit set. We attempted to use ldp.exe to add read permission for that attribute but but that didn't work. Also attempted to use DSACLS to grant a group access to the attribute, and that also didn't work (from https://www.experts-exchange.com/questions/28987629/AD-Custom-Attribute-with-confidential-bit-add-security-group-to-read-it.html).
Environment is Server 2012 R2 with domain functional level of 2008 R2.
Environment is Server 2012 R2 with domain functional level of 2008 R2.
ASKER
Did the following on a Domain controller in an elevated command prompt:
DSACLS "OU=AdminUsers,DC=domain,D
If I log on as a member of AttributeViewers (Global Security Group) and run ADUC, I cannot see the contents of ConfAttribute on a user that I know has info in the attribute.
DSACLS "OU=AdminUsers,DC=domain,D
If I log on as a member of AttributeViewers (Global Security Group) and run ADUC, I cannot see the contents of ConfAttribute on a user that I know has info in the attribute.
Does that member have either adminCount = 1 or broken inheritance?
ASKER
For the user in question, adminCount is not set and inheritance is not broken (checked by using script at https://gallery.technet.microsoft.com/Get-a-list-of-users-with-c043195f).
Then I'm sorry. Perhaps someone else can contribute. In my lab, this works. And I've had it work with clients in the past.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
when you say "it doesn't work", what happens instead?