Home / server / Questions / 181051
Accepted
seekerOfKnowledge
Asked: 2010-09-15 07:54:52 +0800 CST

How does someone restrict read rights to certain user attributes on Active Directory?

  • 772

We use this code to query an ADAM instance.

DirectoryEntry adRoot = new DirectoryEntry(ConfigurationManager.AppSettings["LdapConnectionString"].ToString());

DirectorySearcher adSearch = new DirectorySearcher(adRoot);
adSearch.Filter = "(&(objectClass=user)(objectCategory=person))";
SearchResultCollection searchResults = adSearch.FindAll();

return searchResults;

This is in a tag in App.config:
add key="LdapConnectionString" value="LDAP://servername:portnumber/dc=domainname"
We use the code to print out all the property names that we are retrieving from an ADAM instance.

DirectoryEntry entry = searchResults[0].GetDirectoryEntry();
foreach (string property in entry.Properties.PropertyNames)  
{  
    Console.WriteLine(property);  
}

PropertiesToLoad is the empty StringCollection, PropertyNamesOnly is false.

We aren't retrieving proxyAddresses, street, zipCode, and many other attributes we need for our program.
I found here that:

If you do not specify a list of attributes, the search returns values for all attributes permitted by the access control set in the directory.

So, my question...where is this access control set and how would we modify it so we could have access to those attributes?

active-directory ldap adam

3 Answers

  1. Best Answer

    Use ADSIEdit, you can break stuff so be careful. (http://technet.microsoft.com/en-us/library/cc773354%28WS.10%29.aspx)

    I've never had to go that deep, it's a little buried. You open up ADSIEdit and get to the object you want to have a look at (or a whole container/OU), right click and go to "properties."

    Click on the security tab, click the "advanced" button, click on "edit" to have a peek at what you can do (don't make any changes yet). You'll see the standard permissions like "Full Control" or "Modify Owner" and above where it applies "This object only"

    There is another tab "Properties" right where you are - where all the goodies are. "Read business roles" and "Read Proxy Addresses" and such are there.

    You can add a new group, tick the boxes you like in there, have it apply to the entire container or OU and you should be good to go.

    • 1

  2. This is really a function of two things:

    1. The user context in which the query is run.

    2. The ACE's on the object(s) being read.

    My question to you is under what user context is the query running?

    Authenticated users should have the ability to read all properties, if I'm not mistaken.

    In addition, you should be able to facilitate this via the Delegation of Control wizard as well as via ADSIEdit.

    • 0

  3. http://support.microsoft.com/kb/281146

    It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

    The syntax is fun to learn, but I've been able to successfully deny access on a sandbox environment with ADAM using the ADAM Command Line Prompt with:

    dsacls "\localhost\OU=ouname,OU=ou2name,DC=domainname,DC=domainname2" /d domain\group:GR

    /d denies domain\group GR (Generic read) which includes many properties like proxyAddresses, street, and many others. I'll need to ask them to grant the group root is a member of GR or make me another user or something. Either way, we figured it out.

    • 0