Re: Granting permissions in ADAM
- From: Javier2893 <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 19 Dec 2006 11:56:01 -0800
Hi Lee,
Was able to excute the command:
this is my output:
C:\WINDOWS\ADAM>dsacls
\\localhost:389\cn=users,cn=roles,dc=synctargetdc,dc=com
/G "cn=Readers,CN=Roles,dc=synctargetdc,dc=com":LC
Owner: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Group: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Access list:
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
LIST CONTENTS
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from parent>
The command completed successfully
Then I try to add the authenticated user to the readers group and it comes
with the following error:
A directory service error has occurred.
Any help,
Thanks,
Javier
"Lee Flight" wrote:
Hi.
The commands posted are examples of how you might restrict access so that
only an ADAM user could update their own object.
For an address book the standard permissions on the ADAM Readers role for
the application partition are probably all you need.
So if you are binding to the address book with ADAM users then add the
cn=users,cn=roles,<application partition name here>
role to the
cn=Readers,cn=Roles,<application partition name here>
role.
If you also need to allow windows/domain users to query the address book add
the
(NTAUTHORITY) windows
Authenticated Users
group to the Readers role. See "Add or remove members to or from an ADAM
group"
in the ADAM Help.
Lee Flight
"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D2BFA21-2F21-4867-8411-437A88DC65D7@xxxxxxxxxxxxxxxx
Hi,
My name is Javier and I am new on this ADAM stuff, I was able to sync my
ad
to adam and do queuries with the admin account. However when I try to
query
the ADAM instance I get access denied using the wab.exe program in
windows.
saw your posting and read the answer from Lee and execute his commands but
they are not working.
I need to add the Users directory to the readers role so my users can
query
the ADAM instance.
Can you help with the proper command to give the users the proper
permissions?
Any help is highly appreciated.
Javier
"abhi_chow" wrote:
Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all other
users should have write permisssions on only one's own attributes and
only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in this
case?
Any help will be highly appreciated.
Thanks in advance!
Abhishek.
- Follow-Ups:
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- References:
- Re: Granting permissions in ADAM
- From: Lee Flight
- Re: Granting permissions in ADAM
- Prev by Date: Newbie Q re: Child Domain DNS Setup (2003 environment)
- Next by Date: Re: Newbie Q re: Child Domain DNS Setup (2003 environment)
- Previous by thread: Re: Granting permissions in ADAM
- Next by thread: Re: Granting permissions in ADAM
- Index(es):
Relevant Pages
|
