Solved

CACL's which do I use for individual field

Posted on 2013-01-03
1
217 Views
Last Modified: 2013-07-01
I am in an AD Windows 2008 R2 environment with a large number of sites. Each site has an administrator who has delegated rights to their individual OU (Each OU had administrative access delegated to a group and the group contains the individual administrators for the site). I am attempting to restrict the access to “email” field on the general tab of user accounts. I need the OU administrator to be able to manage all other field of existing users and to be able to create new users? Can anyone tell me the correct CACLs command to make this change? And if possible how to apply it via script?

Thank you!
0
Comment
Question by:ChicagoMikeW
1 Comment
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 38743523
CACLS , if i get what you meant, does not manage permission on AD objects. it is used to display or modify file or directory access control lists (ACLs). It need to state the filename or directory e.g. cacls filename [/t] [/e] [/c] [/g user|group:perm]
@ http://situsnya.wordpress.com/2008/08/31/caclsexe-display-or-modify-access-control-lists-acls-for-files-and-folders/

I think DSACLS is more appropriate to manage the AD object. It is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object
@ http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx

It should be able to figure out if you read the above link. I am not expert in those :)
Key is identify the there after, put them into batch file for push down would be an means  
=Object of interest
=Permission
=attribute.

E.g. DSACLS "cn=PETER,dc=test,dc=org" /D Everyone:CA;"Change Password"
> Deny "Change Password" permission for "EVERYONE" on "PETER" (object)

E.g. if you want to grant permissions to read property and write property values on a Telephonenumber property, you may use RPWP;telephonenumber;

But I will suggest you check out the selfadsi website as alternative on use of scripting that is equivalent to the GUI approach for AD object setting
@ http://www.selfadsi.org/index.htm

Useful is the overall list of attribute - http://www.selfadsi.org/user-attributes.htm
(list from MSDN - http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx)
Esp when it states for different OS and for Win2k8 (email attribute is "mail")
- http://www.selfadsi.org/group-attributes-w2k8.htm
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now