Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

CACL's which do I use for individual field

Posted on 2013-01-03
1
Medium Priority
?
229 Views
Last Modified: 2013-07-01
I am in an AD Windows 2008 R2 environment with a large number of sites. Each site has an administrator who has delegated rights to their individual OU (Each OU had administrative access delegated to a group and the group contains the individual administrators for the site). I am attempting to restrict the access to “email” field on the general tab of user accounts. I need the OU administrator to be able to manage all other field of existing users and to be able to create new users? Can anyone tell me the correct CACLs command to make this change? And if possible how to apply it via script?

Thank you!
0
Comment
Question by:ChicagoMikeW
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 38743523
CACLS , if i get what you meant, does not manage permission on AD objects. it is used to display or modify file or directory access control lists (ACLs). It need to state the filename or directory e.g. cacls filename [/t] [/e] [/c] [/g user|group:perm]
@ http://situsnya.wordpress.com/2008/08/31/caclsexe-display-or-modify-access-control-lists-acls-for-files-and-folders/

I think DSACLS is more appropriate to manage the AD object. It is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object
@ http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx

It should be able to figure out if you read the above link. I am not expert in those :)
Key is identify the there after, put them into batch file for push down would be an means  
=Object of interest
=Permission
=attribute.

E.g. DSACLS "cn=PETER,dc=test,dc=org" /D Everyone:CA;"Change Password"
> Deny "Change Password" permission for "EVERYONE" on "PETER" (object)

E.g. if you want to grant permissions to read property and write property values on a Telephonenumber property, you may use RPWP;telephonenumber;

But I will suggest you check out the selfadsi website as alternative on use of scripting that is equivalent to the GUI approach for AD object setting
@ http://www.selfadsi.org/index.htm

Useful is the overall list of attribute - http://www.selfadsi.org/user-attributes.htm
(list from MSDN - http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx)
Esp when it states for different OS and for Win2k8 (email attribute is "mail")
- http://www.selfadsi.org/group-attributes-w2k8.htm
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question