How to prevent Win2K users from changing personal detail information using DSACLS

SUMMARY

This article describes how you can prevent a user from changing your personal detail information on Windows 2000.

MORE INFORMATION

By default, you can change certain personal information on your user account, such as, your telephone number and address. Some administrators, however, may want to disable such permissions so that you cannot change your personal information.

If you apply "Deny" to the parent organizational unit for the Write Personal Properties permission, you may not succeed because a user account object has explicit permissions assigned to the object when the object is created. The user account is cloned from the user class that is specified in the schema and the Security permissions assigned to this user class become the default Security permissions of the user account object.

These permissions include the right to change personal details, and therefore, to override the permissions that are set by the parent organizational unit. To prevent your personal information from being changed, you must edit the schema, change the permissions that are set on the user class, and then reset the permissions on the existing user objects.

The following information applies only to new user accounts:

For additional information about how to edit the schema, click the article number below to view the article in the Microsoft Knowledge Base:

Q216060 Registry Modification Required to Allow Write Operations to Schema

You can use the Active Directory schema snap-in to modify the security of the user class to the appropriate level of restriction. More permissions can be set in the advanced security options.

To reset the permissions on the existing accounts in the domain, run the Dsacls support tool after the schema modification has taken place. This tool can modify all of the objects in the target organizational unit or in the domain that is specified in a command. For example, the dsacls dc=domainname,dc=com /s /t command can reset the Security permissions for all objects in the domain to those specified in the schema.

All user accounts, both new and existing, can have the relevant Security permissions configured to disable the modification of personal properties.

For more information on the behavior of explicitly assigned permissions and inherited permissions on an object, refer to the Windows 2000 Resource Kit, Distributed Systems Guide , Chapter 12, "Access Control."