G
Guest
Is there anyway for me to do this for the computer object?
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.
You should upgrade or use an alternative browser.
P
Paul Williams [MVP]
You can set the deny permission to stop people from viewing it but you can't
remove it from the GUI unless you can decompile the DLL(s) and modify it.
remove it from the GUI unless you can decompile the DLL(s) and modify it.
G
Guest
Hi Paul,
Where and how can I hide this ?
Where and how can I hide this ?
J
Joe Richards [MVP]
This is extremely difficult to do. The problem is that the default ACL of
computer objects allows Read Property to auth users. The only way to override
that is with confidential attributes (as per K3 SP1) which won't work on
attributes that come with AD (unless you do a little hack I describe in the book
below) or removing the explicit ACE from every computer object granting that
right and regranting everything else you want people to be able to see or by
applying an explicit deny ACE for description on every computer, this last being
difficult because you will probably take away the rights from people you WANT to
be able to see that attribute.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
computer objects allows Read Property to auth users. The only way to override
that is with confidential attributes (as per K3 SP1) which won't work on
attributes that come with AD (unless you do a little hack I describe in the book
below) or removing the explicit ACE from every computer object granting that
right and regranting everything else you want people to be able to see or by
applying an explicit deny ACE for description on every computer, this last being
difficult because you will probably take away the rights from people you WANT to
be able to see that attribute.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
C
Christoffer Andersson [MVP]
You can modify the default display specifers, have a look at the follow
white paper that describes display specifers and how to modify them in order
to create a customized UI.
/Christoffer
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
white paper that describes display specifers and how to modify them in order
to create a customized UI.
/Christoffer
Paul Williams said:You can set the deny permission to stop people from viewing it but you
can't
remove it from the GUI unless you can decompile the DLL(s) and modify it.
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
G
Guest
How do I set the deny permission to stop people from viewing the computer
objects description field?
objects description field?
G
Guest
Where is this whitepaper?
Christoffer Andersson said:You can modify the default display specifers, have a look at the follow
white paper that describes display specifers and how to modify them in order
to create a customized UI.
/Christoffer
--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
No email replies please - reply in the newsgroup
P
Paul Williams [MVP]
Search Microsoft for it - I don't know the exact location. I also didn't
know there was a whitepaper. I've only seen some info. on MSDN. Remember
that in most instances displaySpecifiers don't help. These are for
extending the context menus, etc. Modifying the actual GUI requires you to
modify the DLLs that DSA uses. At present, this is only possible via C/
C++. When the DS tools move over to MMC 3 (Longhorn R2 I think) then we
will be able to extend the GUI using .NET.
know there was a whitepaper. I've only seen some info. on MSDN. Remember
that in most instances displaySpecifiers don't help. These are for
extending the context menus, etc. Modifying the actual GUI requires you to
modify the DLLs that DSA uses. At present, this is only possible via C/
C++. When the DS tools move over to MMC 3 (Longhorn R2 I think) then we
will be able to extend the GUI using .NET.