Re: Granting permissions in ADAM

Hi

The commands posted are examples of how you might restrict access so that
only an ADAM user could update their own object.

For an address book the standard permissions on the ADAM Readers role for
the application partition are probably all you need.

So if you are binding to the address book with ADAM users then add the
cn=users,cn=roles,<application partition name here>
role to the
cn=Readers,cn=Roles,<application partition name here>
role.

If you also need to allow windows/domain users to query the address book add
the
(NTAUTHORITY) windows

Authenticated Users

group to the Readers role. See "Add or remove members to or from an ADAM
group"
in the ADAM Help.


Lee Flight

"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D2BFA21-2F21-4867-8411-437A88DC65D7@xxxxxxxxxxxxxxxx
Hi,
My name is Javier and I am new on this ADAM stuff, I was able to sync my
ad
to adam and do queuries with the admin account. However when I try to
query
the ADAM instance I get access denied using the wab.exe program in
windows.
saw your posting and read the answer from Lee and execute his commands but
they are not working.
I need to add the Users directory to the readers role so my users can
query
the ADAM instance.
Can you help with the proper command to give the users the proper
permissions?
Any help is highly appreciated.
Javier

"abhi_chow" wrote:

Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all other
users should have write permisssions on only one's own attributes and
only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in this
case?
Any help will be highly appreciated.

Thanks in advance!
Abhishek.


.

Relevant Pages

  • Re: ADAM and the Reader Role
    ... My guess is that your ADAM users don't actually have read permissions on ... You don't need read permissions to be able to authenticate. ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ... readers role and you have a lot of users, that group may become to large ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... To add Authenticated Users to the Readers role you can use ADSIEdit, ... Was able to excute the command: ... Permissions inherited to subobjects are: ... only an ADAM user could update their own object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... SPECIAL ACCESS ... Permissions inherited to subobjects are: ... The command completed successfully ... only an ADAM user could update their own object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... As a matter of fact it is the only account that can query the address book. ... convert my users into proxy users the command completed successfully. ... Are you using an ADAM administrator account? ... To add Authenticated Users to the Readers role you can use ADSIEdit, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM and the Reader Role
    ... The number of objects you add to ADAM does not correlate with the permissions. ... Joe Richards Microsoft MVP Windows Server Directory Services ... MS did some changes to the DS core in Win2K3 and ADAM such that there is no longer a 5000 member max limit on the size of a particular group, but it could still get to be too big to deal with unless you start nesting groups. ... In your situation, if you want all of your users to be readers, I'd just add the built in "authenticated users" group to the readers role and be done with it. ...
    (microsoft.public.windows.server.active_directory)