Active Directory

Feb. 4, 2011, 3:33 p.m.
posted by trystan

Modifying the Default Security of a Class






Modifying the Default Security of a Class

Problem

You want to modify the default security that is applied to objects instantiated from a particular structural class.

Solution

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 11.2 for more information.


Using a graphical user interface

  1. Open the Active Directory Schema snap-in.

  2. In the left pane, click on the Classes folder.

  3. In the right pane, double-click the class you want to modify the security for.

  4. Click the Default Security tab.

  5. Modify the security as necessary.

  6. Click OK.

Using a command line interface
	> admod -b cn=<ClassShortName>,cn=schema,cn=Configuration,<ForestRootDN>
	defaultSecurityDescriptor::"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

Using VBScript
	' This code modifies the defaultSecurityDescriptor of a class
	' Refer to Recipe 4.2 for the DisplayAttributes( ) function code.
	' ------ SCRIPT CONFIGURATION -----
	' Set to the common name (not LDAP display dame) of the class
	strClassName = "<ClassCommonName>" ' e.g. User
	' ------ END CONFIGURATION --------

	set objRootDSE = GetObject("LDAP://RootDSE")
	set objClass = GetObject("LDAP://cn=" & strAttrName & "," & _
	                         objRootDSE.Get("schemaNamingContext"))
	objClass.Put "defaultSecurityDescriptor", _
	  "O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"
	objClass.SetInfo
	WScript.Echo "Default Security Descriptor modified"

Discussion

Whenever a new object is created in Active Directory, a default security descriptor (SD) is applied to it along with any inherited security from its parent container. The default security descriptor is stored in the defaultSecurityDescriptor attribute of the classSchema object. If you modify the default SD, every new object will get that SD, but it does not affect any existing objects.

Using a command-line interface

The defaultSecurityDescriptor attribute is stored in Active Directory using the Security Descriptor Definition Language (SDDL) format, and will return data formatted similar to the following:

	"O:AOG:DAD:(A;;RPWPCCDCLCSWRCWDWOGA;;;S-1-0-0)"

For more information on formulating SDDL strings, see the Platform Software Development Kit (SDK) or MSDN.

When creating your own Active Directory classes, we recommend against setting a default security descriptor, as this feature can create issues when working with delegated permissions.


See Also

MS KB 265399 (How to Change Default Permissions for Objects That Are Created in the Active Directory) and MSDN: Security Descriptor String Format



 Python   SQL   Java   php   Perl 
 game development   web development   internet   *nix   graphics   hardware 
 telecommunications   C++ 
 Flash   Active Directory   Windows