RE: [ActiveDir] Using an LDIF to set ACLs

[Isenhour, Joseph]

Ouch that does sound like a lot of trouble.  And once the binary string is in the LDIF admins won’t be able to tell what the string is doing.    Sounds like dsacls is the way to go.   Thanks for the info   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs   I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the "standard".   Theoretically, and Dmitri or Eric can correct me if I am off, you could create your Security Descriptor in SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it.      joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this.  LDIFDE might have something with it, but I haven't seen it.   You'd be better off using a different tool in my opinion.    Al   On 10/6/06, Isenhour, Joseph <[EMAIL PROTECTED]> wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx