Dear all,
I am looking into restricting a user to only write one attribute which is msExchExtensionAttribute19
For this I created an access template with the following settings:
Apply Onto: Only the following classes: User
Permissions: Object Property access, ticked Read properties and Write properties
Object properties: The Folloing properties: msExchExtensionAttribute19
This access template has been applied to a Directoryobject using an AD group the user is member of and even applied to child objects.
However, when I use Powershell, I get an access denied.
PS is used the following way:
PS C:\> Connect-QADService -Proxy
ManagedDomains : {<domain_name}
Type : ARS
AdamContainer : CN=AD LDS (ADAM)
Parameters : ActiveRoles.ManagementShell.ConnectionParameters
RootDSE : rootDSE
BindFlags : None
DefaultNamingContext : CN=Active Directory
DefaultNamingContextDN : CN=Active Directory
ConfigurationNamingContext : CN=Configuration
PS C:\>
When trying to set the attribute I get:
PS C:\> Get-QADUser <username> | Set-QADUser -ObjectAttributes @{msExchExtensionAttribute19="foo"}
Set-QADUser : Access is denied.
At line:1 char:22
+ ... er <username> | Set-QADUser -ObjectAttributes @{msExchExtensionAttribute1 ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-QADUser], UnauthorizedAccessException
+ FullyQualifiedErrorId : System.UnauthorizedAccessException,ActiveRoles.ManagementShell.Powershell.Cmdlets.SetUse
rCmdlet
Get is working fine. Thanks a lot for your ideas and support.