Re: Granting permissions in ADAM

From: abhi_chow <abhichow@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Wed, 13 Dec 2006 13:20:00 -0800

Thanks Lee. That helped.
Is there a way we can grant or deny permissions to an IP address instead of
user / group DN or SID ?

When I try giving the IP-Address then it throws an error, "No Sid found for
<IP-Adress>.

Thanks,
Abhi

"Lee Flight" wrote:

Hi

to grant read access to users a good first pass is to add the ADAM Users
role (or users group that you may have created) to the ADAM Readers role.

To allow the user to update their own information you can grant NT
AUTHORITY\SELF
principal Read Property and Write Property access to either specific
attributes or a property set e.g. personal information. It's best to choose
a suitable point in the directory tree, say the root of the a users part of
the tree and then grant the Users role (or group
of your own) List Contents on that container and grant inheritable
permissions for the SELF principal on the child object attributes. It's
difficult to give generic examples
but something like:

dsacls \\localhost:389\ou=users,o=myorg /G "cn=users,cn=roles,o=myorg":LC

for List Contents if your users are below ou=users,o=myorg and then

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;;" /I:T

or for say just the properties in the personal information property set

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;personal
information;" /I:T

as always try these things in a test environment first.

Hope that helps
Lee Flight

"abhi_chow" <abhi_chow@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:25E3C70B-FA1E-4996-AD2E-4AC33CC8E8E6@xxxxxxxxxxxxxxxx

Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all other
users should have write permisssions on only one's own attributes and only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in this
case?
Any help will be highly appreciated.

Thanks in advance!
Abhishek.

Follow-Ups:
- Re: Granting permissions in ADAM
  - From: Joe Kaplan

References:
- Re: Granting permissions in ADAM
  - From: Lee Flight

Prev by Date: Re: how to restrict users to search in their own Organizational Unit
Next by Date: Re: max password length?
Previous by thread: Re: Granting permissions in ADAM
Next by thread: Re: Granting permissions in ADAM
Index(es):
- Date
- Thread

Relevant Pages

Re: Granting permissions in ADAM
... ADAM grants rights based on security principals. ... Is there a way we can grant or deny permissions to an IP address instead ...
(microsoft.public.windows.server.active_directory)
Re: Granting permissions in ADAM
... role (or users group that you may have created) to the ADAM Readers role. ... To allow the user to update their own information you can grant NT ... permissions for the SELF principal on the child object attributes. ...
(microsoft.public.windows.server.active_directory)
Re: USERS group has the ability to change security permissions???
... Please use the Advance view in the NTFS permissions dialog to ... When there is a generic grant and a special grant to the same entity ... the RESULT: user level access can change NTFS ...
(microsoft.public.win2000.security)
Re: DCOM Event ID 10015
... Grant the user permissions to start the COM component ... Run the MPSRPT_DirSvc.exe on the server box. ... Microsoft CSS Online Newsgroup Support ...
(microsoft.public.windows.server.sbs)
Re: NTFS woes
... "In some cases with a grant of Full is reduced ... NTFS permissions dialog. ... check Allow Delete Subfolders and Files ... Explicit Deny Delete on file does not work (user can still delete ...
(microsoft.public.windows.server.security)