14.8. Customizing the ACL Editor
Problem
You want to set permissions on attributes that do not show up in the default ACL Editor.
Solution
The ACL Editor shows only a subset of the object’s attributes that permissions can be set on. These can be seen in the ACL Editor by clicking the Advanced button, adding or editing a permission entry, and selecting the Properties tab.
An attribute can have a read permission, write permission, or both, either of which can be set to Allow or Deny. If the attribute you want to secure is not in the list, you will need to modify the %SystemRoot%\system32\dssec.dat file on the computer running the ACL Editor.
There are sections for each object class, represented in square
brackets—e.g., [user]. Underneath that
heading is a list of attributes that you can configure to display or
not display in the ACL Editor. These are the first few lines for the
[user] section:
[user] aCSPolicyName=7 adminCount=7 allowedAttributes=7
The value to the right of the attribute determines whether it is shown in the ACL Editor. The valid values include the following:
- 0
Both Read Property and Write Property are displayed for attribute.
- 1
Write property is displayed for the attribute.
- 2
Read property is displayed for the attribute.
- 7
No entries are displayed for the attribute.
If the attribute is not defined, then the default value (specified by
@, if present) is used.
Discussion
Much like the Delegation of Control Wizard, you can customize the attributes that are shown in the ACL Editor, but ...
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
