This is extremely difficult to do. The problem is that the default ACL of
computer objects allows Read Property to auth users. The only way to override
that is with confidential attributes (as per K3 SP1) which won't work on
attributes that come with AD (unless you do a little hack I describe in the book
below) or removing the explicit ACE from every computer object granting that
right and regranting everything else you want people to be able to see or by
applying an explicit deny ACE for description on every computer, this last being
difficult because you will probably take away the rights from people you WANT to
be able to see that attribute.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm