Re: DSSEC.DAT file

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "philKGH" <philKGH@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 24 Oct 2005 01:45:01 -0700

OK. Thanks for your help guys.

Regards,
Phil.

"Joe Richards [MVP]" wrote:

> Nope.
>
> You would need to build your own little system to proxy the changes. People
> would for instance auth to a web site which says which bits each individual is
> able to update and then they can ask the web site to update on their behalf.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> philKGH wrote:
> > That is exactly the peoblem I have. I need to delegate some things contaioned
> > within useraccountcontrol but not others. I believe there is a way of tying
> > it down to individual attributes.
> >
> > "Jorge_de_Almeida_Pinto" wrote:
> >
> >
> >>"" wrote:
> >> > I need to delegate some AD permissions for which an entry does
> >> > not exist
> >> > within the dssec.dat file. For example I want to prevent the
> >> > "Smart card is
> >> > required for interactive logon" attribute being changed, and I
> >> > would like to
> >> > hide the sessions tab, among other things. I gather to access
> >> > these things we
> >> > can manually enter extra lines in dssec.dat.
> >> >
> >> > Does anyone know where I can find the dssec syntax for all the
> >> > available
> >> > attrubites?
> >> >
> >> > Regards,
> >> > Phil.
> >>
> >>see: http://www.dx21.com/SCRIPTING/ADSI/ADGUI/USER3.ASP
> >>
> >>"Smart card is required for interactive logon" is represented by a bit
> >>of the useraccountcontrol attribute. So to delegate what you want you
> >>need to delegate to the useraccountcontrol attribute. The problem with
> >>this is you automatically delegate to the OTHER bits in the
> >>useraccountcontrol attribute like disabling accounts, etc.
> >>
> >>--
> >>Posted using the http://www.windowsforumz.com interface, at author's request
> >>Articles individually checked for conformance to usenet standards
> >>Topic URL: http://www.windowsforumz.com/DSSEC-DAT-file-ftopict434961.html
> >>Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1463105
> >>
>
.

References:
- Re: DSSEC.DAT file
  - From: Jorge_de_Almeida_Pinto
- Re: DSSEC.DAT file
  - From: Joe Richards [MVP]

Prev by Date: Can't access shares on one DC?
Next by Date: replmon and Windows 2000
Previous by thread: Re: DSSEC.DAT file
Next by thread: Re: Removing phantom DC with ntdsutil
Index(es):
- Date
- Thread

Relevant Pages

Re: DSSEC.DAT file
... People would for instance auth to a web site which says which bits each individual is able to update and then they can ask the web site to update on their behalf. ... within useraccountcontrol but not others. ... So to delegate what you want you need to delegate to the useraccountcontrol attribute. ... Topic URL: http://www.windowsforumz.com/DSSEC-DAT-file-ftopict434961.html Visit Topic URL to contact author (reg. ...
(microsoft.public.win2000.active_directory)
Re: Is it possible???
... on the useraccountcontrol attribute ... So to delegate the change of the option "account is disabled" to a group ... useraccountcontrol attribute (read permission and write permission). ...
(microsoft.public.windows.server.active_directory)
Re: Delegate Disable user privilege
... So to delegate the change of the option "password never expires" to a group ... useraccountcontrol attribute (read permission and write permission). ... I created a OU and I want to delegate disable user privilege to a security ...
(microsoft.public.windows.server.active_directory)
Re: delegation and multiple host name
... services with the alternate hostnames. ... Then you can delegate to them. ... host name in DNS for each web site and I also assign it to each web site ...
(microsoft.public.dotnet.framework.aspnet.security)