To restrict access for certain group of users to comment attribute of user object(s) we can set explicit permissions on required user objects using Dsacls command-line tool.
1. Create a list of distinguished names of target user objects and save it into a file
Syntax: dsquery user <StartNode> > queryresult.txt
Example: dsquery user "OU=SampleOU1,DC=PMTest,DC=lab,DC=local" > c:\queryresult.txt
2. Check queryresult.txt to make sure the results meet our expectation.
3. Execute Dsacls command against all objects in queryresults.txt in a loop:
Example: for /f "delims=" %I in (C:\queryresult.txt) do DSACLS "%~I" /D "CN=SampleGroup2,OU=SampleOU2,DC=PMTest,DC=lab,DC=local":RP;comment
In the above command we are hiding the comment attribute of the users found in "SampleOU1" from the members of group "SampleGroup2"