RE: [ActiveDir] Using an LDIF to set ACLs

[Dmitri Gavrilov]

Yeah, Joe’s correct, dsacls or scripting is your best bet. SDDL+encoding is also possible, but it would replace the whole SD value, which is rarely what you really want. Usually you just need to add or remove an ACE, right? This would require reading the old value, which is not possible with LDIF.   At some point, I looked at trying to expose the SD value as a multi-valued string attribute, each value representing an individual ACE (e.g. in SDDL). This is approximately what iPlanet and OpenLdap do. Unfortunately, it never went further than that. Would have been pretty cool, and very much LDIF’able. Alas…   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, October 06, 2006 1:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Using an LDIF to set ACLs   I think you could but it would be non-trivial, I agree with Al, use a different tool. dsacls or scripting is the "standard".   Theoretically, and Dmitri or Eric can correct me if I am off, you could create your Security Descriptor in SDDL format, convert that to the binary form, then mime encode it, then try to apply that string for the ntSecurityDescriptor attribute. You will likely have to do it as an Administrator or else you will get an error since non-admins have to set special controls to update the security descriptor and I don't think LDIFDE will do it.      joe   -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, October 06, 2006 4:36 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Using an LDIF to set ACLs There's no provision in the ldif standard that I'm aware of that would allow this.  LDIFDE might have something with it, but I haven't seen it.   You'd be better off using a different tool in my opinion.    Al   On 10/6/06, Isenhour, Joseph <[EMAIL PROTECTED]> wrote: Does anyone know if it's possible to set Directory ACLs using an LDIF? I'm trying to enforce a process for setting ACLs that is similar to the process we have for making Schema extensions. List info   : http://www.activedir.org/List.aspx List FAQ    : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx