Re: ADACLS inheritance option
- From: "Cary Shultz" <cwshultz@xxxxxxxx>
- Date: Mon, 29 May 2006 20:23:30 -0400
Ulf,
Good point! Many people overlook that.
--
Cary W. Shultz
Roanoke, VA 24012
"Ulf B. Simon-Weidner [MVP]" <nospam2-ulf@xxxxxxxxxxxxxxxxxx> wrote in
message news:OyCO3i2gGHA.3628@xxxxxxxxxxxxxxxxxxxxxxx
-----Original Message-----
From: Khalil N. Z. [mailto:KhalilNZ@xxxxxxxxxxxxxxxxxxxxxxxxx]
Posted At: Monday, May 29, 2006 11:34 PM
Posted To: microsoft.public.windows.server.active_directory
Conversation: ADACLS inheritance option
Subject: ADACLS inheritance option
Hi all,
I´m creating a script using adacls.exe to grant permissions
for a group to move computers and I´m granting permissions on
the root of the AD.
My question is when I use the option /I:T the permission that
will be propagated is all the permissions on the root or only
the new one?
I´m executing a command like this:
dsacls "DC=Domain,DC=Com" /G Domain\Group:CC;computer
Hello Khalil,
If you use /I:T and apply it onto the domainhead (dc=domain,dc=com) the
group will have the right to create computer accounts everywhere in the
domain (each OU, Container and sub-OU).
I'd recommend using the same command, but apply it only to
cn=computers,dc=domain,dc=com and/or any other OU you want them to be able
to create computer accounts.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile & Publications:
http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214C811D
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
.
- References:
- re: ADACLS inheritance option
- From: Ulf B. Simon-Weidner [MVP]
- re: ADACLS inheritance option
- Prev by Date: Re: New Windows 2003 SP1 R2 Server won't join Windows 2003 SP1 Domain
- Next by Date: Re: export to a AD Distributed group to a text
- Previous by thread: re: ADACLS inheritance option
- Next by thread: re: ADACLS inheritance option
- Index(es):
Relevant Pages
|
