Re: Granting permissions in ADAM

Hi

it's difficult to know what would cause that, are you able to add any other
groups successfully? Are you using an ADAM administrator account?

Lee Flight

"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:9A9158AA-6CA3-4CCE-B3C5-02C60094DD0C@xxxxxxxxxxxxxxxx
Hi Lee,
Did that, using ADSIEdit brought up my settings:
CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
Right click on the readers and choose the member option click on add
windows
account type authenticated users and choose the computer that has ADAM
installed.
searches and find the Authenticated Users NTAUTHORITY container with the
SID
number and all. When I click on Ok to apply the changes comes up with the
a
directory service error has occurred.
Any toughts on that error?
thanks,
Javier

"Lee Flight" wrote:

Hi

the dsacls command is not required here it was an example for the
discussion
that
started this thread as before the standard Readers permissions should be
adequate
as the output of dsacls shows below.

To add Authenticated Users to the Readers role you can use ADSIEdit,
bring up the properties of
CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com

edit the member attribute, Add Windows Account... type Authenticated
and then hit check names - that should give you Authenticated Users then
OK...

Lee Flight

"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:CBD078B1-B390-407B-9AED-3925833FA5A1@xxxxxxxxxxxxxxxx
Hi Lee,
Was able to excute the command:

this is my output:
C:\WINDOWS\ADAM>dsacls
\\localhost:389\cn=users,cn=roles,dc=synctargetdc,dc=com
/G "cn=Readers,CN=Roles,dc=synctargetdc,dc=com":LC
Owner: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Group: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com

Access list:
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
LIST CONTENTS
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from
parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from
parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from
parent>

The command completed successfully
Then I try to add the authenticated user to the readers group and it
comes
with the following error:
A directory service error has occurred.
Any help,
Thanks,
Javier

"Lee Flight" wrote:

Hi

The commands posted are examples of how you might restrict access so
that
only an ADAM user could update their own object.

For an address book the standard permissions on the ADAM Readers role
for
the application partition are probably all you need.

So if you are binding to the address book with ADAM users then add the
cn=users,cn=roles,<application partition name here>
role to the
cn=Readers,cn=Roles,<application partition name here>
role.

If you also need to allow windows/domain users to query the address
book
add
the
(NTAUTHORITY) windows

Authenticated Users

group to the Readers role. See "Add or remove members to or from an
ADAM
group"
in the ADAM Help.


Lee Flight

"Javier2893" <Javier2893@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8D2BFA21-2F21-4867-8411-437A88DC65D7@xxxxxxxxxxxxxxxx
Hi,
My name is Javier and I am new on this ADAM stuff, I was able to
sync
my
ad
to adam and do queuries with the admin account. However when I try
to
query
the ADAM instance I get access denied using the wab.exe program in
windows.
saw your posting and read the answer from Lee and execute his
commands
but
they are not working.
I need to add the Users directory to the readers role so my users
can
query
the ADAM instance.
Can you help with the proper command to give the users the proper
permissions?
Any help is highly appreciated.
Javier

"abhi_chow" wrote:

Hi,
To Grant/Deny permissions in ADAM, we need to use dsacls.exe
command
in
the
ADAM command prompt.
I need to provide permissions such that barring Administrators, all
other
users should have write permisssions on only one's own attributes
and
only
READ permissions on the attributes of other users.
Can you please help me in regard to what command should be used in
this
case?
Any help will be highly appreciated.

Thanks in advance!
Abhishek.








.

Relevant Pages

  • Re: Granting permissions in ADAM
    ... To add Authenticated Users to the Readers role you can use ADSIEdit, ... Was able to excute the command: ... Permissions inherited to subobjects are: ... only an ADAM user could update their own object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... SPECIAL ACCESS ... Permissions inherited to subobjects are: ... The command completed successfully ... only an ADAM user could update their own object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... by the system error -- was it really the member attribute that you were ... to add the Authenticated Users group to the Readers role. ... You might want to create yourself a clean ADAM ... convert my users into proxy users the command completed successfully. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... "Lee Flight" wrote: ... to add the Authenticated Users group to the Readers role. ... You might want to create yourself a clean ADAM ... convert my users into proxy users the command completed successfully. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting permissions in ADAM
    ... Users to the Readers role makes use of the FSP container. ... container from your ADAM application partition and then ... try adding the Authenticated Users to the Readers Role again. ... convert my users into proxy users the command completed successfully. ...
    (microsoft.public.windows.server.active_directory)
Loading