Dear all, I am trying to limit the access to personal information in our AD (we run Debian bullseye on our DCs with Louis's 4.15 packages, in case that matters). The first obstacle seems to be that there is an explicit ACL on every user allowing read access to personal information for every authenticated user. My understanding is that this ACL comes from the default acl on user objects. I have found that default entry in the schema management MMC snap-in but am unable to remove it even as a domain admin. The error message is "Unable to save permission changes on User. The server is unwilling to process the request." Is there some other way I should be doing this? For existing users, I would have to remove the explicit allow ACL. Is there a good way to do this programmatically, preferably on Linux? I have looked at samba-tool dsacl set, but there is very little documentation out there... The rest of the question is not strictly samba-related, but I assume I will have to create a group that contains all users that should not be granted access to personal information (most users for us, in fact) and place a deny ACL on an OU somewhere up in the tree where it can affect all users... It seems somewhat complicated though. I would much rather work with an explicit allow to grant specific users access. My understanding is that this is not possible because the personal information does not have the "confidential" bit set??? And changing that would involve fooling around with the schema again??? The other option, as I understand, would be to introduce custom fields through a schema modification to store the personal information, but that would have the disadvantage that the non-standard fields would not be known to third-party tools. Thanks for any insights. There is surprisingly little information on this out there.... Best wishes, Chrisitian PS: Links I found most useful: https://www.oreilly.com/library/view/active-directory-cookbook/0596004648/ch14s12.html https://social.technet.microsoft.com/Forums/en-US/53523e07-d7dd-4a50-8511-7cffe3717470/hide-specific-user-attributes-to-users-?forum=winserverDS