Re: How Can Admin Assistants Update Global Access Lists?

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Jimmy Andersson [MVP] (jimmy_noSpam__at_mvps.org)
Date: 04/13/04 

Date: Tue, 13 Apr 2004 15:01:21 +0200

If you can't see the permission you need (I don't remember if its shown in
the UI by default) you need to edit the dssec.dat file. If the attribute is
=7 it means that it will not be displayed in the UI, you need to change it
to either 0,1 or 2. But this will only take care of the visibility in the
UI, you also need to change the DACL on the attribute.

0=Show Read/Write
1=Display Write
2=Display Read

To change the default schema DACL you can use dsacls, but if you do this,
the change will only be applied to objects that are created after the
change, i.e. objects that already exists will not be changed, you need to
script that or do it manually.
One thing you should be aware of is if you want to restore the Schema
defaults with dsacls later you will overwrite DACLs that applications might
have set, Exchange for instance.
In other words be sure to test this in a lab environment before doing it in
production.

Regards,
/Jimmy 

-- 
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
"Herb Martin" <news@LearnQuick.com> wrote in message
news:evyeTkEIEHA.3820@tk2msftngp13.phx.gbl...
> It is theoretically possible to delegate any property to
> any user or group.
>
> Try the Delegation of Control Wizard (right-click in AD Users/Comp)
> in the advanced section, custom area.
>
> If it's not there then you must use a scripting tool.  Just this
> weekend someone answered that they did this with LDIFDE
> (or some tool, that I don't clearly remember) which
> surprised me a bit but look into that general idea: using
> scripting.
>
> -- 
> Herb Martin
> "Max" <maxview80@hotmail.com> wrote in message
> news:ttednezHcafchefd4p2dnA@comcast.com...
> > What is the best way to allow department secretaries to update phone
> numbers
> > and other location info in Outlook for other employees without giving
them
> > any other rights over the accounts?
> >
> >
>
>

Relevant Pages

  • Scripting tool for Delphi
    ... I'm looking for Delphi scripting tool components. ... This one is a single language FREE Pascal scripting tool for Delphi. ... It could be better if it had Java Script support. ... Supports Pascal/Basic/Java. ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: Delegate Account release
    ... First you need to delegate permissions. ... Delegate read and write of userAccountControl property of User objects to the group you need. ... You can get examples of useraccountcontrol scripting in technet scripting center. ... Windows Server - Active Directory ...
    (microsoft.public.windows.server.security)
  • Re: Create user by script then CACLS home directory
    ... > This is based on the Scriptomatic tools from TechNet and scripts segments from the TechNet scripting centre. ... What determines which DC the ADSI script and the CACLS command looks at? ... Set objAce = CreateObject ... '** Call sub to correctly order the ACEs in the DACL ...
    (microsoft.public.win2000.active_directory)
  • Re: ANN: paxScript, v2.4
    ... I cannot compare paxScript with another scripting engines as I'm paxScript ... paxScript importer allows you to create imp units (it seems the Dream ... > Are there any decent examples that use this scripting tool? ...
    (borland.public.delphi.thirdpartytools.general)
  • Re: ANN: paxScript, v2.4
    ... Exceptionnaly product, support and ... I base this on some tests i run against different scripting ... Are there any decent examples that use this scripting tool? ...
    (borland.public.delphi.thirdpartytools.general)