Add Attributes to your Active Directory Schema and Manage their Permissions Efficiently

P

Philippe Lacoude

In case anyone is interested, we wrote a short paper on Active
Directory attributes and their security. The paper shows how to create
a new Active Directory attribute, add it to an existing container (user
class), and configure its security using Active Directory control
access rights.

To perform each of the steps, the paper employs four different
techniques: administration via the GUI, administration via the command
line, scripting using the COM ADSI interfaces in VBScript, and
programming using the DirectoryServices library in Visual Basic .NET.

Add Attributes to your Active Directory Schema and Manage their
Permissions Efficiently
Philippe Lacoude & Rajnish Sinha
Washington, D.C.
April 2005 (Version 1.1)
http://www.lacoude.com/docs/pu­blic/Attributes.aspx
 
G

Guest

Hi Philippe,

Thanks for putting up a site, it has good info. However, it does not address
a situation am facing:

When using ADU&Cs, I would like to see an extended permission/task list in
ACL dialog box for a customized object in the schema. Currently it shows
Read,List,Modify,Delete etc for most objects. I would like to append the
above permission list with new permissions like: clear log, send alert etc.

So far, I have tried this:
Yes, I tried to add a new control-access-right(CAR) in the schema by doing:
Dn: CN=myperm,CN=Extended-Rights,CN=Configuration,DC=xx,DC=com
changetype: add
cn: myperm
rightsGuid: 36BB01B9-AFC0-4972-94C4-82275B949401
objectClass: controlAccessRight
appliesTo: 5e0ad683-eb2c-4675-9e94-aff90f69af7f
#showInAdvancedViewOnly: TRUE
validAccesses: 256
Click to expand...

and gave it the schemaIDGUID of the object I want to apply this CAR
to. Also made a modification in the c:\windows\system32\dssec.dat file. But
with this approach, depending on the value entered in the dssec.dat for the
CAR,
it displays either as "read myperm" or "write myperm" (read/write
getting prefixed to my car). So, in my I would be getting "read clear
log file" but I need "clear log file" instead.

Any comments on what's wrong?

Much thanks.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Step-by-Step Guide to Using Active Directory Schema and Display Specifiers 0
AD Problem 1
Dump of perfection Test 1
FWT Newsletter - Weekly - October 11, 2004 0
FWT Newsletter - Weekly - September 13, 2004 1
FWT Newsletter - Weekly - October 4, 2004 2
FWT Newsletter - Weekly - October 25, 2004 8

Top