Re: AD Schema extension and ACLing

I see what you are saying with ADSI Edit. I don't use the tool at all
(ldp.exe always for me), so I haven't run into that bit. It would be easy
to add that support to my tool though, so I'll put it on the "someday" list.
Some people like ADSI Edit. :)

The security stuff is hard. The cleanest way to do this is to create a
property set control access right (CAR) for your custom attributes and then
ACL the objects using that CAR. Basically, this type of CAR is a grouping
mechanism that allows you to use a single ACE to control the security on
multiple attributes. AD has a bunch of the built in. They are documented
in the MSDN AD documentation. They are a bit confusing, so I'd suggest
reading through that a few times.

Then, you have to decide how to apply this ACE that uses the CAR. If you
have existing objects in the directory, it won't help to mess with the
default security descriptor. In that case, I'd probably try to apply an
inheritable ACE to the uppermost parent container that contains the target
objects.

If you have a "green field" (no existing objects), then you could change the
default security descriptor to include your CAR ACE. That would result in
all new objects created having this ACE as well. I'm pretty sure you have
to change the structural class' default SD, not the aux class, as I doubt
the directory merges together the default SD for all the classes. However,
I'm not sure. I'll defer to someone with more expertise on this, as I've
never messed with the default SD on a schema object.

You could still apply the inheritable ACE approach in a green field
situation as well. It will work either way.

You can also ACL each attribute instead of using the CAR. The problem with
that is that you end up with lots of ACEs which bloat your security
descriptors. It also isn't as easy to maintain.

I hope that gives you some ideas.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Brad Turner [MIIS MVP]" <bradturner32@xxxxxxxxx> wrote in message
news:1158097618.614887.282110@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Thanks, I realized afterwards that your tool's Octet String has the
correct value, but it's the hex form without the space delimiters. Try
pasting that value into the attribute using ADSI Edit and you'll see
what I mean. All you have to do is put the spaces in your tool and it
would work fine without performing the conversion the way I did it.

However; I'm still no further to accomplishing my goal...

I just want to be able to restrict some custom attributes from being
read by Authenticated Users. I need to be able to delegate which
groups get Read access and which groups get Write access to the new
custom attributes. What is the simplest way to go about doing so (this
seems much harder than it should)?

Thanks again for all of your help,

Brad Turner, MIIS MVP

Joe Kaplan wrote:
Something like that should work, although you really did it the hard way.
Something like this should work:

Function ConvertGuidToDecimalString(ByVal inputGuid As Guid) As String

Dim data() As Byte = inputGuid.ToByteArray()
Dim sb As New System.Text.StringBuilder()

For Each b As Byte in data
sb.AppendFormat("{0:D3}", b)
sb.Append(" ")
Next

Return sb.ToString().Trim()
End Function

If you need to create a new GUID from a string, the constructor on Guid
can
parse all the main formats. You can also call Guid.NewGuid to generate a
new random one.

I've never actually run into a tool used by AD that takes octet strings
in
space delimited decimal format like that, but it is easy enough to
create.
If you thought it was helpful, I could easily add this to my tool as
well.
:)

Glad you got it working though.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net



.

Relevant Pages

  • Re: AD Schema extension and ACLing
    ... that set of attributes as a whole with a single ACE. ... of ACEs to apply the same security to a group of attributes. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... each with its own CAR or just create a single aux class with two CARS (one ...
    (microsoft.public.windows.server.active_directory)
  • Re: Export schema
    ... Put an inheritable ACE ... and on any newly created ones (unless they are protected from inheritance). ... > I get that the security on attributes is actually defined as a mask at ... You can't "add to" a defaultSecurityDescriptor, ...
    (microsoft.public.windows.server.active_directory)
  • Re: AD Schema extension and ACLing
    ... with its own CAR or just create a single aux class with two CARS (one Read ... custom ACE/custom app) entry? ... grouping mechanism that allows you to use a single ACE to control the ... Joe Kaplan-MS MVP Directory Services Programming ...
    (microsoft.public.windows.server.active_directory)
  • Re: Tommy Thayer talks about working with Ace. Good story.
    ... So they asked me to come in and help Ace and Peter on ... first show back was at Irvine Meadows here in Southern Cal. ... Ace a car and I had to monitor these things; ... got to promise me that you're going to get on this flight in the ...
    (rec.music.artists.kiss)
  • Re: ACLs Security
    ... SDDL (security descriptor definition language). ... There is also IO for inherit only (that is, the ACE ... >> the folder or file to get the 'under the hood' ACE identifyer. ...
    (microsoft.public.win2000.security)