Hi, The file %SystemRoot%\System32\dssec.dat specifies, which classes and attributes are hidden from the lists, when viewing or delegating permissions using either the Delegation of Control wizard or ACL Editor.
Already in Windows 2000 this file had some peculiarities, such as (for the user class): - First name (givenName) was visible but last name (sn) was not. - E-Mail Address (Others) was visible but the normal E-mail was not. For WS2003, this file was practically not modified, so the 49 new classes and 50 new attributes for the user class, for example, became visible. They are mostly something that you probably never use in delegation, so I made a new dssec.dat with the following modifications: - Hide all the new classes of WS2003, except inetOrgPerson (48 of them) - Hide aCSResourceLimits, which was already in Win2000 - For the user class, hide and unhide quite a few attributes so that the list of visible attributes is about the same as in ADUC. The exceptions are that nTSecurityDescriptor is hidden and badPasswordTime, badPwdCount, cn, employeeID, lastLogoff, lastLogon, lastLogonTimestamp, name, and pwdLastSet are visible. - Added inetOrgPerson and applied the same attribute filtering for it than what is for the user class. If you want to use this file, download it from http://www.kouti.com/scripts.htm, and save it with the name %SystemRoot%\System32\dssec.dat on the computer where you would use ACL Editor or the Delegation of Control wizard. Obviously it is a good idea to make a backup copy of the original file, although you would have the original file on all other computers anyway. Yours, Sakari List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
