RE: [ActiveDir] ACL Attribute

[Dean Wells]

Title: Re: [ActiveDir] ACL Attribute

ï The attribute should be present within the UI (by default and IIRC) on the Computer, Contact and OrganizationalPerson classes ... have you tried performing this task on numerous admin. workstations?  Have you edited the content of the %windir%\system32\dssec.dat?  If neither of these questions lead to a solution, you could try posting back a copy of the %windir%\system32\dssec.dat file, the one local to the machine on which you're running the Admin. console, so I can take a look. -- Dean Wells MSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 30, 2004 7:30 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ACL Attribute I'm in advanced, users only, properties tab (tried the other one). Damn thing isn't there. I'm kinda scratching my head at dsacls /?. Looks like something I'd rather do graphically.   --Brian -----Original Message----- From: [EMAIL PROTECTED] on behalf of joe Sent: Mon 8/30/2004 6:15 AM To: [EMAIL PROTECTED] Cc: Subject: RE: [ActiveDir] ACL Attribute Err I was asked this once before.   Are you in advanced properties tab?   Did you specify to apply onto user objects only?   I believe that is the magic combo for it to pop up in the GUI. You can force something else if you use dsacls or a script.   Assuming nothing is granting an explicit read property on the object as a whole, you should be able to do this.     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Monday, August 30, 2004 3:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ACL Attribute Thanks, Steve. Database size isn't much of an issue - it's like 100meg right now.In any case, the reason for my question in the first place is that the blasted employeeID attribute isn't in the list in the ACL editor. Domain is 2k native   --Brian  -----Original Message----- From: Steve Patrick [mailto:[EMAIL PROTECTED] Sent: Mon 8/30/2004 12:02 AM To: [EMAIL PROTECTED] Cc: Subject: Re: [ActiveDir] ACL Attribute Hi Brian Be careful about adding acls to the domain head like this - it can result in a large increase to the size of your database (in Win2k - 2k3 fixes this via an  improved single instance store) As for your how to... Go to the domain head - properties, security. Go to Advanced, click ADD and add Group1 Click on EDIT and the properties tab Click on the Apply Onto drop down and select USER obejcts Find READ\ WRITE Employee ID and ACL as you wish. -steve ----- Original Message ----- From: "Brian Desmond" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Sunday, August 29, 2004 4:34 PM Subject: [ActiveDir] ACL Attribute > I need to ACL the employeeID attribute in AD such that only a group I specify can read it. I'm scratching my head here because if I go to the top level of my Domain NC in Adsiedit, goto security, there's no employeeID in the list of attributes. I've selected the child objects scope. Is there a trick to making hte attribute magically appear or something? > > --Brian > .+-w i 0g-íí+Yb mPi 0 -íí+b Úf.+-j!  0j! or yïíIãV+v* List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/