By default, all Windows 2000 users are allowed to modify their personal info (telephone number and such) in Active...
Directory. You cannot easily deny them this right by using AD Users and Computers, since the permissions to modify these attributes are not inherited -- they are applied directly on each individual object.
Many other AD objects have default ACLs (access control lists) that bypass inheritance. It is possible to modify the default ACL that is created upon creation of a new AD object.
NOTE: This procedure involves schema modifications. Please be sure you know what you are doing before attempting to modify the schema.
You are now looking at the default ACL. If you modify it, wait around 15 minutes, and any new object of that class that will be created will have your new default ACL.