Re: Granting permissions in ADAM

From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
Date: Tue, 12 Dec 2006 23:53:45 -0000

Hi

to grant read access to users a good first pass is to add the ADAM Users
role (or users group that you may have created) to the ADAM Readers role.

To allow the user to update their own information you can grant NT
AUTHORITY\SELF
principal Read Property and Write Property access to either specific
attributes or a property set e.g. personal information. It's best to choose
a suitable point in the directory tree, say the root of the a users part of
the tree and then grant the Users role (or group
of your own) List Contents on that container and grant inheritable
permissions for the SELF principal on the child object attributes. It's
difficult to give generic examples
but something like:

dsacls \\localhost:389\ou=users,o=myorg /G "cn=users,cn=roles,o=myorg":LC

for List Contents if your users are below ou=users,o=myorg and then

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;;" /I:T

or for say just the properties in the personal information property set

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;personal
information;" /I:T

as always try these things in a test environment first.

Hope that helps
Lee Flight

"abhi_chow" <abhi_chow@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:25E3C70B-FA1E-4996-AD2E-4AC33CC8E8E6@xxxxxxxxxxxxxxxx

Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all other
users should have write permisssions on only one's own attributes and only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in this
case?
Any help will be highly appreciated.

Thanks in advance!
Abhishek.

Follow-Ups:
- Re: Granting permissions in ADAM
  - From: abhi_chow

Prev by Date: Re: removing second DC from forest
Next by Date: Re: Roaming Profile problem
Previous by thread: Re: Problem of Installing the config file while using in two ADAM inst
Next by thread: Re: Granting permissions in ADAM
Index(es):
- Date
- Thread

Relevant Pages

Re: Granting permissions in ADAM
... ADAM grants rights based on security principals. ... Is there a way we can grant or deny permissions to an IP address instead ...
(microsoft.public.windows.server.active_directory)
Re: Granting permissions in ADAM
... user / group DN or SID? ... to grant read access to users a good first pass is to add the ADAM Users ... role to the ADAM Readers role. ... permissions for the SELF principal on the child object attributes. ...
(microsoft.public.windows.server.active_directory)
Re: group vs individual user security
... > If you create a user & grant him permissions, ... In order to work with the systems tables, all users must be a member of the ... Users Group ...
(microsoft.public.access.security)
Re: Import objects from secured db
... add the same user to both mdw files and grant this user permission to open the database object and read data on the tables. ... temporarily grant the Users Group permission to open the database object and read data permissions on the table. ... Note that when you import objects, their permissions won't travel with them, so be sure to set the permissions after imported. ...
(microsoft.public.access.security)
Re: USERS group has the ability to change security permissions???
... Please use the Advance view in the NTFS permissions dialog to ... When there is a generic grant and a special grant to the same entity ... the RESULT: user level access can change NTFS ...
(microsoft.public.win2000.security)