Change Security of AD Objects via Command Line

[Bill]

As a network administrator for a fleet of oil tankers, I don't have
the luxury of accessing AD Objects to perform tasks and I don't have
folks with administrative rights onboard. So, is there a way, via
command line, to modify the security permissions for specific User?
For example I want the user called CAPT to have Read/Write Property,
Read/Write Account Restrictions, and Reset Password on another user
account called CLRK. I know how to do this in AD, but is there a tool
to do this via command line? DSMOD doesn't seem to allow for changes
to the security settings. Any ideas? Thanks, I'm desperate.

 

[Joe Richards [MVP]]

Yes, check out dsacls.

joe

 

[Bill]

Joe,
Thanks. DSACLS is definetly a step in the right direction.
However I'm having a problem understanding the {Object/Property}
field. Here's my goal:

Allow Domain/User Special Access for pwdlastset
Write Property
Read Property

Allow Domain/User Special Access for Account Restrictions
Write Property
Read Property

Allow Domain/User Reset Password

My string so far is:
dsacls CN="userX","CN="Users",DC="domain",DC="net" /G
domain/userY:wprp;

After that, I've tried a couple of combination but can't figure out
the correct Object/Property entries should be. Any Idea?

Thanks
Bill

 

[Joe Richards [MVP]]

You have an issue with your DN of your user.... You don't want all of those
quotes. I would expect your DN is actually

cn=userx,cn=users,dc=domain,dc=net

if you need to quote it because of spaces or special chars it would be

"cn=userx,cn=users,dc=domain,dc=net"


On the grant line you will want

/G domain\usery:WPRP;pwdlastset;user

and

/G "domain\usery:WPRP;Account Restrictions;user"

Note the quotes because of the space. You will also want to make sure you are
using /I:S