Scripting ACE for User Object in Active Directory

TonyEdwards · Jul 22, 2003

I need to give every user in an AD OU rights to modify
only thier Home Folder. I can go through 2500 users and
give them rights to SELF for personal information in
active directory, but what I really need is to be able to
script it. Does anyone know where I can find a
description for the bitmask that controls these
permissions, or some sample scripts that modify the ACE
on the attributes of the AD user object.
Tony

David Hou [MSFT] · Jul 22, 2003

You may use a user-inheritable ACE applied on the OU to give SELF the
permission. You may use Dsacls from the support tool or ADSI if you want to
write your own scripts, below are some links:

Access rights:
http://www.msdn.microsoft.com/libra...access_rights_and_access_masks.asp?frame=true

ADSI security interface (for code samples, click the links inside)
http://www.msdn.microsoft.com/library/en-us/netdir/adsi/security_interfaces.asp?frame=true

David

Oren Nizri · Jul 22, 2003

-----Original Message-----
I need to give every user in an AD OU rights to modify
only thier Home Folder. I can go through 2500 users and
give them rights to SELF for personal information in
active directory, but what I really need is to be able to
script it. Does anyone know where I can find a
description for the bitmask that controls these
permissions, or some sample scripts that modify the ACE
on the attributes of the AD user object.
Tony
.

tony,

You have to choose one of those solutions:
1. add your users to group with the name "
HomeFolder" (create one if you haven't) - delegate
control from AD users and computers to the user's OU for
this task (right click on the OU and choose "delegate
control")
install for the users admin pack for them to change their
home folder.
2. set for the users home folder with vbscript, you
can script which set users properties at my site.

Best Regards

Oren Nizri

for my VBScript site : http://scripts.mutsonline.com

for security site : www.secureIT.co.il

David Hou [MSFT] · Jul 23, 2003

When you set the apply onto in the security tab (advanced) to users, the
"Read/Write Personal Information" will appear.

David

How-To create a referall object in Active Directory	1	Nov 7, 2005
Creating Active Directory Computer Accounts	1	Jan 8, 2005
Unable to delete active directory object (was a user account)	2	May 11, 2004
Add Attributes to your Active Directory Schema and Manage their Permissions Efficiently	2	May 16, 2005
Setting directory permissions	2	Apr 10, 2009
Updating Active Directory attributes account	2	Jul 7, 2005
connecting problem in vb.net with ldap to active directory	4	Sep 26, 2016
Scripting against AD	2	Mar 2, 2004

Scripting ACE for User Object in Active Directory

TonyEdwards

David Hou [MSFT]

Oren Nizri

David Hou [MSFT]

Ask a Question

Similar Threads