How to grant permission for specific attributes in AD

As an Active Directory admin sometimes we may require to allow and deny permission for only specific attributes on AD user object or container (OU) object. In this post, I am going to write steps to assign or remove permissions on Active Directory attributes.

Note: To perform this action, you must be a member of the Domain Admins group, or the Enterprise Admins group in AD, or you must have been delegated the appropriate authority.

Follow the below steps to set permission for individual AD attributes:

  • Open Active Directory Users and Computers console (Start -> Control Panel -> Administrative Tools -> Active Directory Users and Computers). 
  • Click on the View menu, select Advanced Features.
  • Right-click the object (user or ou) for which you want to assign or remove permissions, and then click Properties.
  • On the Security tab, click Advanced to view all the available permissions.
  • Click the button Add, find user or group account whom you want provide access, and click OK.
  • In the “Permission for object name” dialog, go to the “Properties” tab, and select the required properties and desired permissions from the list and save the changes.
Advertisement

3 thoughts on “How to grant permission for specific attributes in AD”

    • Yes, you can use the Dsacls command-line tool

      Learn more about Dsacls

      The following command grants Generic Read (GR) and Generic Execute (GE) permissions on user objects in the TechUsers OU to the user Morgan:

      C:\> dsacls "OU=TechUsers,OU=TestOU,DC=MTS,DC=Com" /G Domain\Morgan:GRGE;user

      Reply

Leave a Comment