Modifying the Default Security of a Class
Problem
You want to modify the default security that is applied to objects instantiated from a particular structural class.
Solution
 |
For Windows 2000 Active Directory, you need to enable
schema modifications before proceeding. See Recipe 11.2 for more information.
|
|
Using a graphical user interface
Open the Active Directory Schema snap-in. In the left pane, click on the Classes folder. In the right pane, double-click the class you want to modify the security for. Click the Default Security tab. Modify the security as necessary.
Using a command line interface
> admod -b cn=<ClassShortName>,cn=schema,cn=Configuration,<ForestRootDN>
defaultSecurityDescriptor::"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
Using VBScript
' This code modifies the defaultSecurityDescriptor of a class
' Refer to Recipe 4.2 for the DisplayAttributes( ) function code.
' ------ SCRIPT CONFIGURATION -----
' Set to the common name (not LDAP display dame) of the class
strClassName = "<ClassCommonName>" ' e.g. User
' ------ END CONFIGURATION --------
set objRootDSE = GetObject("LDAP://RootDSE")
set objClass = GetObject("LDAP://cn=" & strAttrName & "," & _
objRootDSE.Get("schemaNamingContext"))
objClass.Put "defaultSecurityDescriptor", _
"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
objClass.SetInfo
WScript.Echo "Default Security Descriptor modified"
Discussion
Whenever a new object is created in Active Directory, a default
security descriptor (SD) is applied to it along with any inherited security from its parent container. The default security descriptor is stored in the
defaultSecurityDescriptor attribute of the classSchema object. If you modify the default SD, every new object will get that SD, but it does not affect any existing objects.
Using a command-line interface
The defaultSecurityDescriptor attribute is stored in Active Directory using the
Security Descriptor Definition Language (SDDL) format, and will return data formatted similar to the following:
"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
For more information on formulating SDDL strings, see the Platform Software Development Kit (SDK) or MSDN.
 |
When creating your own Active Directory classes, we recommend against setting a default security descriptor, as this feature can create issues when working with delegated permissions.
|
|
See Also
MS KB 265399 (How to Change Default Permissions for Objects That Are Created in the Active Directory) and MSDN: Security Descriptor String Format
|