SOLVED
Home

Hiding Specific Attributes on all User Objects

%3CLINGO-SUB%20id%3D%22lingo-sub-299714%22%20slang%3D%22en-US%22%3EHiding%20Specific%20Attributes%20on%20all%20User%20Objects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299714%22%20slang%3D%22en-US%22%3E%3CP%3EI%20have%20a%20requirement%20an%20account%20i%20have%20to%20hide%20all%20attributes%20on%20the%20user%20object%20excluding%20a%20few%2C%3C%2FP%3E%3CP%3EI%20have%20created%20the%20account%20to%20which%20restricted%20access%20is%20to%20be%20given%3C%2FP%3E%3CP%3EI%20have%20tried%20with%20DENY%20Everything%20on%20the%20OU%20under%20which%20i%20have%20users%2C%3C%2FP%3E%3CP%3Estill%20the%20user%20is%20able%20to%20read%20at%20least%2020-25%20or%20few%20more%20attributes%20in%2C%3C%2FP%3E%3CP%3EWhich%20is%20also%20clearly%20shown%20when%20effective%20permissions%20is%20checked%2C%20but%20then%20how%20does%20this%20works%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-299714%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHiding%20Specific%20Attributes%20on%20all%20User%20Objects%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-300764%22%20slang%3D%22en-US%22%3ERe%3A%20Hiding%20Specific%20Attributes%20on%20all%20User%20Objects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-300764%22%20slang%3D%22en-US%22%3EThis%20is%20what%20i%20have%20done%20created%20a%20new%20ou%20directly%20under%20the%20domain%3CBR%20%2F%3Eand%20have%20set%20this%20%22descendant%20user%20objects%22%20DENY%20all%20permissions%20and%20DENY%20all%20properties%3CBR%20%2F%3Estill%20company%20division%20readable%20by%20the%20user%20for%20whom%20these%20permissions%20are%20set%3CBR%20%2F%3E%3CBR%20%2F%3EI%20figured%20the%20reason%20why%20it%20is%20working%20it%20is%20due%20to%20similar%20permissions%20which%20are%20assigned%20to%3CBR%20%2F%3E%E2%80%9Cauthentication%20users%E2%80%9D%20and%3CBR%20%2F%3E%E2%80%9CPre-Windows%202000%20Compatible%20Access%20(DOMAIN%5CPre-Windows%202000%20Compatible%20Access)%E2%80%9D%3CBR%20%2F%3EOnce%20I%20removed%20these%20from%20the%20user%2C%20no%20attributes%20are%20visible%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-299722%22%20slang%3D%22en-US%22%3ERe%3A%20Hiding%20Specific%20Attributes%20on%20all%20User%20Objects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-299722%22%20slang%3D%22en-US%22%3EPS%20C%3A%5C%26gt%3B%20Add-ADPermission%20%E2%80%93identity%20%22NT%20AUTHORITY%5CEveryone%22%20-user%20%22restrictedAcc%22%20-Deny%20-AccessRights%20ReadProperty%20-Properties%20division%2Ccompany%2Cchangepassword%20-DomainController%20dc01%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-677200%22%20slang%3D%22en-US%22%3ERe%3A%20Hiding%20Specific%20Attributes%20on%20all%20User%20Objects%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-677200%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F45912%22%20target%3D%22_blank%22%3E%40Himanshu%20Singh%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I have a requirement an account i have to hide all attributes on the user object excluding a few,

I have created the account to which restricted access is to be given

I have tried with DENY Everything on the OU under which i have users,

still the user is able to read at least 20-25 or few more attributes in,

Which is also clearly shown when effective permissions is checked, but then how does this works

3 Replies
PS C:\> Add-ADPermission –identity "NT AUTHORITY\Everyone" -user "restrictedAcc" -Deny -AccessRights ReadProperty -Properties division,company,changepassword -DomainController dc01
Solution
This is what i have done created a new ou directly under the domain
and have set this "descendant user objects" DENY all permissions and DENY all properties
still company division readable by the user for whom these permissions are set

I figured the reason why it is working it is due to similar permissions which are assigned to
“authentication users” and
“Pre-Windows 2000 Compatible Access (DOMAIN\Pre-Windows 2000 Compatible Access)”
Once I removed these from the user, no attributes are visible
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
35 Replies
Extentions Synchronization
ChirmyRam in Discussions on
3 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies