The tools won't show you the specific permissions for every attribute. You
actually will have to look at all the permissions for the overall object and
any property set the attribute may be a part of.
For instance telephoneNumber is a member of the Personal Information
property set so in order to find out what perms people have for
telephoneNumber you will have to look at any permissions set on the whole
object and anything set for Personal Information. So looking at an object in
my test forest I see the following ACL Dump
Access list:
Effective Permissions on this object are:
Allow JOE\Domain Admins FULL CONTROL
Allow BUILTIN\Account Operators FULL CONTROL
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
Allow NT AUTHORITY\SELF SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow JOE\Enterprise Admins FULL CONTROL <Inherited
from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Account
Restrictions
READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Logon
Information
READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Group
Membership
READ PROPERTY
Allow JOE\RAS and IAS Servers SPECIAL ACCESS for Remote
Access Information
READ PROPERTY
Allow JOE\Cert Publishers SPECIAL ACCESS for
userCertificate
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Windows Authorization Access Group SPECIAL ACCESS for
tokenGroupsGlobalAndUniversal
READ PROPERTY
Allow BUILTIN\Terminal Server License Servers SPECIAL ACCESS for
terminalServer
WRITE PROPERTY
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for General
Information
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for Public
Information
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for
Personal Information
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for Web
Information
READ PROPERTY
Allow NT AUTHORITY\SELF SPECIAL ACCESS for
Personal Information
WRITE PROPERTY
READ PROPERTY
Allow NT AUTHORITY\SELF SPECIAL ACCESS for Phone
and Mail Options
WRITE PROPERTY
READ PROPERTY
Allow NT AUTHORITY\SELF SPECIAL ACCESS for Web
Information
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote
Access Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General
Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account
Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
Information <Inherited from parent>
READ PROPERTY
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
tokenGroups <Inherited from parent>
READ PROPERTY
Allow Everyone Change Password
Allow NT AUTHORITY\SELF Change Password
Allow NT AUTHORITY\SELF Send As
Allow NT AUTHORITY\SELF Receive As
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow JOE\Enterprise Admins FULL CONTROL <Inherited
from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account
Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General
Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote
Access Information <Inherited from parent>
READ PROPERTY
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
The command completed successfully
Now the pieces that are important for telephoneNumber are
Effective Permissions on this object are:
Allow JOE\Domain Admins FULL CONTROL
Allow BUILTIN\Account Operators FULL CONTROL
Allow NT AUTHORITY\SELF SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow JOE\Enterprise Admins FULL CONTROL <Inherited
from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for
Personal Information
READ PROPERTY
Allow NT AUTHORITY\SELF SPECIAL ACCESS for
Personal Information
WRITE PROPERTY
READ PROPERTY
Since I just care about the object I queried, none of the permissions
inherited to subobjects are something I care about.
So what does the above mean for permissions on telephoneNumber.
It means Domain Admins, Account Ops, LocalSystem, Administrators, Enterprise
Admins, and Self can change the property. FULL CONTROL of the object or
WRITE PROPERTY of the entire object or Personal Information.
It means that all of the above PLUS Self,Pre-Windows 2000 Compatible Access,
and Authenticated Users can read the propery. FULL CONTROL of the object or
READ PROPERTY of the entire object or Personal Information..
That applies to every attribute included in the Personal Information
property set - to see the default attribs in that set check out
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad
schema/r_personal_information.asp?frame=true
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of David Adner
Sent: Thursday, May 13, 2004 8:24 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] View permissions of specific attributes
Unless I'm missing it, I don't see where it shows specific attributes for
the object...?
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Carlos
> Magalhaes
> Sent: Thursday, May 13, 2004 02:36
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
>
> Have you also thought of running dsacls.exe (the latest version is the
> version that comes with ADAM) You can specify a path i.e.
> dsacls.exe /domain:<domainName> , you can also specify a specific
> Active Directory path that can be denoted by prepending
> \\server[:port]\ to the object, as in
>
> \\ADSERVER\CN=John
> Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
>
> Carlos Magalhaes - AD programming ? -
> http://groups.yahoo.com/group/adsianddirectoryservices
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Gil
> Kirkpatrick
> Sent: Thursday, May 13, 2004 6:29 AM
> To: [EMAIL PROTECTED]
> Subject: RE: [ActiveDir] View permissions of specific attributes
>
> Use adsiedit, right click on an object, select Properties, then select
> the Security tab. You'll see the security descriptor information
> there.
>
> -gil
>
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of David Adner
> Sent: Wednesday, May 12, 2004 7:09 PM
> To: [EMAIL PROTECTED]
> Subject: [ActiveDir] View permissions of specific attributes
>
> I must just be missing something, but I can't seem to find out how to
> view the permissions a user has to a specific object's attributes.
> I've been looking in adsiedit, ldp, dsacls... Am I close? :)
>
> I'm trying to verify a user has the necessary permissions to modify
> certain object attributes. Any help is appreciated. Thx
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
>
>
> List info : http://www.activedir.org/mail_list.htm
> List FAQ : http://www.activedir.org/list_faq.htm
> List archive:
> http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
