Solved

CACL's which do I use for individual field

Posted on 2013-01-03
1
223 Views
Last Modified: 2013-07-01
I am in an AD Windows 2008 R2 environment with a large number of sites. Each site has an administrator who has delegated rights to their individual OU (Each OU had administrative access delegated to a group and the group contains the individual administrators for the site). I am attempting to restrict the access to “email” field on the general tab of user accounts. I need the OU administrator to be able to manage all other field of existing users and to be able to create new users? Can anyone tell me the correct CACLs command to make this change? And if possible how to apply it via script?

Thank you!
0
Comment
Question by:ChicagoMikeW
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 38743523
CACLS , if i get what you meant, does not manage permission on AD objects. it is used to display or modify file or directory access control lists (ACLs). It need to state the filename or directory e.g. cacls filename [/t] [/e] [/c] [/g user|group:perm]
@ http://situsnya.wordpress.com/2008/08/31/caclsexe-display-or-modify-access-control-lists-acls-for-files-and-folders/

I think DSACLS is more appropriate to manage the AD object. It is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object
@ http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx

It should be able to figure out if you read the above link. I am not expert in those :)
Key is identify the there after, put them into batch file for push down would be an means  
=Object of interest
=Permission
=attribute.

E.g. DSACLS "cn=PETER,dc=test,dc=org" /D Everyone:CA;"Change Password"
> Deny "Change Password" permission for "EVERYONE" on "PETER" (object)

E.g. if you want to grant permissions to read property and write property values on a Telephonenumber property, you may use RPWP;telephonenumber;

But I will suggest you check out the selfadsi website as alternative on use of scripting that is equivalent to the GUI approach for AD object setting
@ http://www.selfadsi.org/index.htm

Useful is the overall list of attribute - http://www.selfadsi.org/user-attributes.htm
(list from MSDN - http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx)
Esp when it states for different OS and for Win2k8 (email attribute is "mail")
- http://www.selfadsi.org/group-attributes-w2k8.htm
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question