Re: DSSEC.DAT file

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Fri, 21 Oct 2005 09:09:18 -0400

Nope.

You would need to build your own little system to proxy the changes. People would for instance auth to a web site which says which bits each individual is able to update and then they can ask the web site to update on their behalf.

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net

philKGH wrote:

That is exactly the peoblem I have. I need to delegate some things contaioned within useraccountcontrol but not others. I believe there is a way of tying it down to individual attributes.
"Jorge_de_Almeida_Pinto" wrote:
"" wrote: > I need to delegate some AD permissions for which an entry does > not exist > within the dssec.dat file. For example I want to prevent the > "Smart card is > required for interactive logon" attribute being changed, and I > would like to > hide the sessions tab, among other things. I gather to access > these things we > can manually enter extra lines in dssec.dat. > > Does anyone know where I can find the dssec syntax for all the > available > attrubites? > > Regards, > Phil.
see: http://www.dx21.com/SCRIPTING/ADSI/ADGUI/USER3.ASP
"Smart card is required for interactive logon" is represented by a bit
of the useraccountcontrol attribute. So to delegate what you want you
need to delegate to the useraccountcontrol attribute. The problem with
this is you automatically delegate to the OTHER bits in the
useraccountcontrol attribute like disabling accounts, etc.
-- Posted using the http://www.windowsforumz.com interface, at author's request Articles individually checked for conformance to usenet standards Topic URL: http://www.windowsforumz.com/DSSEC-DAT-file-ftopict434961.html Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1463105

Follow-Ups:
- Re: DSSEC.DAT file
  - From: philKGH

References:
- Re: DSSEC.DAT file
  - From: Jorge_de_Almeida_Pinto

Prev by Date: Re: Delegation Question
Next by Date: Time Zone Settings at Boot Up
Previous by thread: Re: DSSEC.DAT file
Next by thread: Re: DSSEC.DAT file
Index(es):
- Date
- Thread

Relevant Pages

Re: DSSEC.DAT file
... > You would need to build your own little system to proxy the changes. ... > able to update and then they can ask the web site to update on their behalf. ... I need to delegate some things contaioned ... >> within useraccountcontrol but not others. ...
(microsoft.public.win2000.active_directory)
Re: Is it possible???
... on the useraccountcontrol attribute ... So to delegate the change of the option "account is disabled" to a group ... useraccountcontrol attribute (read permission and write permission). ...
(microsoft.public.windows.server.active_directory)
Re: delegation and multiple host name
... services with the alternate hostnames. ... Then you can delegate to them. ... host name in DNS for each web site and I also assign it to each web site ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: Delegate Disable user privilege
... So to delegate the change of the option "password never expires" to a group ... useraccountcontrol attribute (read permission and write permission). ... I created a OU and I want to delegate disable user privilege to a security ...
(microsoft.public.windows.server.active_directory)