Solved

CACL's which do I use for individual field

Posted on 2013-01-03
1
221 Views
Last Modified: 2013-07-01
I am in an AD Windows 2008 R2 environment with a large number of sites. Each site has an administrator who has delegated rights to their individual OU (Each OU had administrative access delegated to a group and the group contains the individual administrators for the site). I am attempting to restrict the access to “email” field on the general tab of user accounts. I need the OU administrator to be able to manage all other field of existing users and to be able to create new users? Can anyone tell me the correct CACLs command to make this change? And if possible how to apply it via script?

Thank you!
0
Comment
Question by:ChicagoMikeW
1 Comment
 
LVL 63

Accepted Solution

by:
btan earned 500 total points
ID: 38743523
CACLS , if i get what you meant, does not manage permission on AD objects. it is used to display or modify file or directory access control lists (ACLs). It need to state the filename or directory e.g. cacls filename [/t] [/e] [/c] [/g user|group:perm]
@ http://situsnya.wordpress.com/2008/08/31/caclsexe-display-or-modify-access-control-lists-acls-for-files-and-folders/

I think DSACLS is more appropriate to manage the AD object. It is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object
@ http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx

It should be able to figure out if you read the above link. I am not expert in those :)
Key is identify the there after, put them into batch file for push down would be an means  
=Object of interest
=Permission
=attribute.

E.g. DSACLS "cn=PETER,dc=test,dc=org" /D Everyone:CA;"Change Password"
> Deny "Change Password" permission for "EVERYONE" on "PETER" (object)

E.g. if you want to grant permissions to read property and write property values on a Telephonenumber property, you may use RPWP;telephonenumber;

But I will suggest you check out the selfadsi website as alternative on use of scripting that is equivalent to the GUI approach for AD object setting
@ http://www.selfadsi.org/index.htm

Useful is the overall list of attribute - http://www.selfadsi.org/user-attributes.htm
(list from MSDN - http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx)
Esp when it states for different OS and for Win2k8 (email attribute is "mail")
- http://www.selfadsi.org/group-attributes-w2k8.htm
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question