Restrict writing to AD attributes

active-directory

Solution 1:

Permissions are per-attribute, so you can add an inheritable permission at the root of the domain (or OU) that applies to all user objects to deny write to those attributes.

Deny always takes precedence over Allow, so it should work.

Solution 2:

As long as someone has full control of the object (or is a Domain Admin), they are going to ultimately be able to edit these attribute values, as well as do anything else. It seems like there is a process/trust issue here more than a technical issue that you need to solve for.

Related

what does the sentence "I'd hate for anything to come between us" means?
What term means someone with no tact?
Distinguishing lowercase proper nouns in paragraphs
Are "measles, mumps, Diabetes, rabies, rickets, shingles" uncountable nouns or singular nouns?
What is a better word for tradable?
bash loop with the variable name inside file name [duplicate]
Can an infinitive be the object of a preposition?
Exclude some indexes from elasticsearch query
What does it mean to call someone a wipe?
single quotes or not [duplicate]
Etymology of "amoral"
Can I use alma mater before graduating?