RE: exchange custom attributes

  • From: "Michael B. Smith" <michael@xxxxxxxxxx>
  • To: "[ExchangeList]" <exchangelist@xxxxxxxxxxxxx>
  • Date: Tue, 6 Sep 2005 20:19:36 -0400

Using dsacls. Uh...have you ever used dsacls before? Read this:

Then read it again... :-P

Make sure you do this in a test environment before you do it in

dsacls "DC=domain,DC=com" /I:S /G

And if you are using inetOrgPerson, you'll also want

dsacls "DC=domain,DC=com" /I:S /G

Obviously, you'll need either one or two dsacl statements per attribute.

You might want GA instead of RPWP, although I think RPWP is probably
enough. Making a change at the domain level MAY cause a new ACE to be
added to EVERY OBJECT IN THE DOMAIN. An OU change might be smarter, if
possible. I don't know your design criteria well enough to guess.

There is a much more advanced solution where you would add the
extensionAttributes to the delegated property set. But I'm not smart
enough to tell you how to do that one. You probably would need to get
some 3rd tier PSS guy to tell ya how.


-----Original Message-----
From: Ted [mailto:tdoholis@xxxxxxxxx] 
Sent: Tuesday, September 06, 2005 5:17 PM
To: [ExchangeList]
Subject: [exchangelist] RE: exchange custom attributes

yes but how would you assign the write permission to them?

> Seen this?
> -----Original Message-----
> From: Ted [mailto:tdoholis@xxxxxxxxx]
> Sent: Tuesday, September 06, 2005 2:52 PM
> To: [ExchangeList]
> Subject: [exchangelist] exchange custom attributes
> Hi All,
> I am looking everywhere for a permission I must be missing. I need to 
> be able to allow a user to administer user account attributes in AD 
> (which is done through delegation) but I also need that person to be 
> able to modify the Exchange Custom Attributes as well.
> Does anyone know how to assign this permission? The user can see 
> the values and has the tools installed, can open the attribute and 
> only when he tries to save the changed value does he get 'access 
> denied'....

Other related posts: