I'm seeing a discrepancy between setting ACEs through the GUI (Security tab on an object) and setting them through a script. If I go into the Security Tab on an OU and set a Deny ACE for some global group on "Change Password" and "Reset Password" for User objects, I end up with a single Deny ACE for those two operations. However, if I script it, I seem to end up with two Deny ACEs, one for "Change Password" and a second, separate one for "Reset Password."
I'm only setting a single objectType on the scripted ACE at this point, and having to repeat that code to set the second objectType. Is there a way to specify multiple objectTypes, or am I stuck with a larger DACL if I script the ACEs? Thanks, Hunter List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/