Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

CACL's which do I use for individual field

Posted on 2013-01-03
1
Medium Priority
?
225 Views
Last Modified: 2013-07-01
I am in an AD Windows 2008 R2 environment with a large number of sites. Each site has an administrator who has delegated rights to their individual OU (Each OU had administrative access delegated to a group and the group contains the individual administrators for the site). I am attempting to restrict the access to “email” field on the general tab of user accounts. I need the OU administrator to be able to manage all other field of existing users and to be able to create new users? Can anyone tell me the correct CACLs command to make this change? And if possible how to apply it via script?

Thank you!
0
Comment
Question by:ChicagoMikeW
1 Comment
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 38743523
CACLS , if i get what you meant, does not manage permission on AD objects. it is used to display or modify file or directory access control lists (ACLs). It need to state the filename or directory e.g. cacls filename [/t] [/e] [/c] [/g user|group:perm]
@ http://situsnya.wordpress.com/2008/08/31/caclsexe-display-or-modify-access-control-lists-acls-for-files-and-folders/

I think DSACLS is more appropriate to manage the AD object. It is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object
@ http://technet.microsoft.com/en-us/library/cc771151(v=ws.10).aspx

It should be able to figure out if you read the above link. I am not expert in those :)
Key is identify the there after, put them into batch file for push down would be an means  
=Object of interest
=Permission
=attribute.

E.g. DSACLS "cn=PETER,dc=test,dc=org" /D Everyone:CA;"Change Password"
> Deny "Change Password" permission for "EVERYONE" on "PETER" (object)

E.g. if you want to grant permissions to read property and write property values on a Telephonenumber property, you may use RPWP;telephonenumber;

But I will suggest you check out the selfadsi website as alternative on use of scripting that is equivalent to the GUI approach for AD object setting
@ http://www.selfadsi.org/index.htm

Useful is the overall list of attribute - http://www.selfadsi.org/user-attributes.htm
(list from MSDN - http://msdn.microsoft.com/en-us/library/ms675090(v=vs.85).aspx)
Esp when it states for different OS and for Win2k8 (email attribute is "mail")
- http://www.selfadsi.org/group-attributes-w2k8.htm
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question