Re: Limit user access in SBS2003
- From: v-chacez@xxxxxxxxxxxxx (chace zhang)
- Date: Thu, 16 Nov 2006 11:00:03 GMT
Hi,
Thank you for taking time to response.
Unfortunately there is no easy way for user to dump permission for a
certain object in AD. As a workaround we can dump Permission by Dsacls
Utility.
Dsacls.exe and ADSIEdit is included with the Windows 2000/2003 Support
Tools. To install the Support Tools, run Setup.exe from the Support\Tools
folder on the Windows 2000/2003 Server CD-ROM.
First we need to locate the path of the objects in Active Directory.
Use ADSIEdit to locate the path for the object and Admin account.
1). Start Adsiedit.exe.
2). Connect to a global catalog.
3). Click to expand the Domain Container object.
4). Locate the following path:
DC=domain,DC=com
CN=Users
CN=testaccount
5). In the left pane, right click the "CN=<Sote_name>", click Properties.
6). In Attribute tab, copy the path of the DistinguishedName
CN=testaccount,CN=Users,DC=nosbs,DC=com
In Windows Command line, input the following command:
Dsacls " CN=testaccount,CN=Users,DC=nosbs,DC=com" (with quotation mark) >
c:\UserPermission.txt
281146 How to Use Dsacls.exe in Windows 2000
http://support.microsoft.com/?id=281146
Hope this helps. If you have further concerns, please feel free to let me
know.
Have a nice day!
Best Regards,
Chace Zhang (MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on Exchange technical issues. If you have
issues regarding other Microsoft products, you'd better post in the
corresponding newsgroups so that they can be resolved in an efficient and
timely manner. You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
| Message-ID: <455BBE95.2060901@xxxxxxxxxxxxxxxxxxxxxxx>
| Date: Thu, 16 Nov 2006 01:27:49 +0000
| From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| User-Agent: Thunderbird 1.5.0.8 (Windows/20061025)
| MIME-Version: 1.0
| To: chace zhang <v-chacez@xxxxxxxxxxxxx>
| Subject: Re: Limit user access in SBS2003
| References: <4559FC0C.5020204@xxxxxxxxxxxxxxxxxxxxxxx>
<wmWGf8HCHHA.3360@xxxxxxxxxxxxxxxxxxxxx>
| In-Reply-To: <wmWGf8HCHHA.3360@xxxxxxxxxxxxxxxxxxxxx>
| Content-Type: text/plain; charset=ISO-8859-1
| Content-Transfer-Encoding: 7bit
| X-Antivirus: avast! (VPS 0649-0, 15/11/2006), Outbound message
| X-Antivirus-Status: Clean
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 213-162-121-253.adrian080.adsl.metronet.co.uk
213.162.121.253
| Lines: 1
| Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:313058
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Chace,
|
| Thanks very much for the detailed answer... I have a much better
| understanding now.
|
| Are there tools though that can give an overview report of a users
| assigned rights over a specific OU, or even a whole domain?
|
| Adrian
|
|
| chace zhang wrote:
| > Date: Tue, 14 Nov 2006 17:25:32 +0000
| > From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| > Subject: Limit user access in SBS2003
| > Newsgroups: microsoft.public.windows.server.sbs
| >
| > Hi,
| >
| > Using the MMC, I'm trying to give access to User telephone numbers to
HR.
| >
| > I've used the MMC Author mode to create a New Taskpad View, and used
| > Delegate control to let my test user account to view the properties of
| > other users. I've done this several times now, so I think my test user
| > rights have gotten mixed.
| >
| > But, an issue has appeared, my "testing user" account is a member of
| > domain users, but can now create/delete users - which I don't want.
| >
| > So I've some questions:
| >
| > 1) How do I see what "privileges/rights" a specific user has?
| > 2) How do I remove the rights I don't want them to have?
| > 3) Can I create the MMC window so that a user can update/access another
| > users Telephone details, but not change any other User property (eg,
| > email addresses).
| >
| > Thanks,
| >
| > Adrian
| >
| > Hi,
| >
| > Hello Khant,
| >
| > Thanks for posting in this newsgroup!
| >
| > To verify if a role/permission was delegated to a user/group, you may
| > simply check if the user/group has the permissions you delegated on the
| > Security tab of the object.(You should enable view-Advanced Features
first)
| > However, you might notice that members of users/groups do not inherit
the
| > delegated permissions from the parent container. This behavior occurs
| > because if you set permissions using the Delegation of Control wizard,
| > these permissions are not applied to members of protected groups. As a
| > workaround, you may remove the users/groups from the protected group.
This
| > workaround is recommended by Microsoft.
| >
| > Below is the list of the protected groups in Windows Server 2003:
| >
| > - Administrators
| > - Account Operators
| > - Server Operators
| > - Print Operators
| > - Backup Operators
| > - Domain Admins
| > - Schema Admins
| > - Enterprise Admins
| > - Cert Publishers
| > - Administrator
| > - Krbtgt
| >
| > For details, please refer to the following MS KB article:
| >
| > 817433 Delegated permissions are not available and inheritance is
| > automatically
| > http://support.microsoft.com/?id=817433
| >
| >
| >
| > To delegate the permissions to change user's title, phone number, fax,
etc,
| > you can follow these steps:
| >
| > 1. Create the group or user account that you want to have the ability
to
| > the property fields in Active Directory Users and Computers (for
example,
| > Help Desk Admins).
| >
| > 2. Right-click the domain in Active Directory Users and Computers, and
then
| > click Delegate Control from the menu that is displayed.
| >
| > 3. The Delegation of Control Wizard should be displayed. On the Welcome
| > dialog box, click Next.
| >
| > 4. On the Users and Groups dialog box, click Add. Select the group in
the
| > list that you want to give the ability to change the property fields,
and
| > then click OK. On the Users and Groups dialog box, click Next.
| >
| > 5. On the Tasks to Delegate dialog box, click "Create a custom task to
| > delegate", and then click Next.
| >
| > 6. On the "Active Directory Object Type" dialog box, click "Only the
| > following objects in the folder:". In the list, click "User objects"
and
| > then click Next.
| >
| > 7. On the Permissions dialog box, click to clear the General check box,
and
| > then click to select the Property-specific check box. In the
Permissions
| > list, click to select the appropriate check boxes for the property
fields
| > you want to delegate and then click Next.
| >
| > 8. On the "Completing the Delegation of Control Wizard" dialog box,
click
| > Finish.
| >
| >
| > Below are the permissions for the property fields you listed:
| >
| > Title:
| > ----------
| > Read Title
| > Write Title
| >
| >
| > Phonenumber:
| > ----------
| > Read Telephone Number
| > Write Telephone Number
| > Read Phone Number (Others)
| > Write Phone Number (Others)
| >
| > Fax:
| > ----------
| > Read Fax Number
| > Write Fax Number
| > Read Fax Number (Others)
| > Write Fax Number (Others)
| >
| > More Information:
| > =======
| >
| > 315676 HOW TO: Delegate Administrative Authority in Windows 2000
| > http://support.microsoft.com/?id=315676
| >
| >
| > Hope the information above is useful. Have a nice day.
| >
| > Best Regards,
| >
| > Chace Zhang (MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| >
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
rights.
| >
| > --------------------
| > | Message-ID: <4559FC0C.5020204@xxxxxxxxxxxxxxxxxxxxxxx>
| > | Date: Tue, 14 Nov 2006 17:25:32 +0000
| > | From: "Adrian Marsh (NNTP)" <adrian.marsh@xxxxxxxxxxxxxxxxxxxxxxx>
| > | User-Agent: Thunderbird 1.5.0.7 (Windows/20060909)
| > | MIME-Version: 1.0
| > | Subject: Limit user access in SBS2003
| > | Content-Type: text/plain; charset=ISO-8859-1
| > | Content-Transfer-Encoding: 7bit
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: office.ubiquisys.com 193.164.180.102
| > | Lines: 1
| > | Path: TK2MSFTNGXA01.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP03.phx.gbl
| > | Xref: TK2MSFTNGXA01.phx.gbl microsoft.public.windows.server.sbs:312586
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Hi,
| > |
| > | Using the MMC, I'm trying to give access to User telephone numbers to
HR.
| > |
| > | I've used the MMC Author mode to create a New Taskpad View, and used
| > | Delegate control to let my test user account to view the properties of
| > | other users. I've done this several times now, so I think my test user
| > | rights have gotten mixed.
| > |
| > | But, an issue has appeared, my "testing user" account is a member of
| > | domain users, but can now create/delete users - which I don't want.
| > |
| > | So I've some questions:
| > |
| > | 1) How do I see what "privileges/rights" a specific user has?
| > | 2) How do I remove the rights I don't want them to have?
| > | 3) Can I create the MMC window so that a user can update/access
another
| > | users Telephone details, but not change any other User property (eg,
| > | email addresses).
| > |
| > | Thanks,
| > |
| > | Adrian
| > |
| >
|
.
- References:
- Limit user access in SBS2003
- From: Adrian Marsh (NNTP)
- RE: Limit user access in SBS2003
- From: chace zhang
- Re: Limit user access in SBS2003
- From: Adrian Marsh (NNTP)
- Limit user access in SBS2003
- Prev by Date: RE: CEICW Hangs
- Next by Date: Re: WMPhone 5 not synchorizing deleted mail with Exchange
- Previous by thread: Re: Limit user access in SBS2003
- Next by thread: Re: Two, should be, very simple questions.
- Index(es):
Relevant Pages
|
Loading
