/ Sign-up
Your question

Add Attributes to your Active Directory Schema and Manage ..

  • Security
  • Active Directory
  • Windows
Last response: in Windows 2000/NT
a b 8 Security
May 16, 2005 12:10:25 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

In case anyone is interested, we wrote a short paper on Active
Directory attributes and their security. The paper shows how to create
a new Active Directory attribute, add it to an existing container (user
class), and configure its security using Active Directory control
access rights.

To perform each of the steps, the paper employs four different
techniques: administration via the GUI, administration via the command
line, scripting using the COM ADSI interfaces in VBScript, and
programming using the DirectoryServices library in Visual Basic .NET.

Add Attributes to your Active Directory Schema and Manage their
Permissions Efficiently
Philippe Lacoude & Rajnish Sinha
Washington, D.C.
April 2005 (Version 1.1)­blic/Attributes.aspx

More about : add attributes active directory schema manage

May 24, 2005 8:35:10 PM

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hi Philippe,

Thanks for putting up a site, it has good info. However, it does not address
a situation am facing:

When using ADU&Cs, I would like to see an extended permission/task list in
ACL dialog box for a customized object in the schema. Currently it shows
Read,List,Modify,Delete etc for most objects. I would like to append the
above permission list with new permissions like: clear log, send alert etc.

So far, I have tried this:
Yes, I tried to add a new control-access-right(CAR) in the schema by doing:

> Dn: CN=myperm,CN=Extended-Rights,CN=Configuration,DC=xx,DC=com
> changetype: add
> cn: myperm
> rightsGuid: 36BB01B9-AFC0-4972-94C4-82275B949401
> objectClass: controlAccessRight
> appliesTo: 5e0ad683-eb2c-4675-9e94-aff90f69af7f
> #showInAdvancedViewOnly: TRUE
> validAccesses: 256

and gave it the schemaIDGUID of the object I want to apply this CAR
to. Also made a modification in the c:\windows\system32\dssec.dat file. But
with this approach, depending on the value entered in the dssec.dat for the
it displays either as "read myperm" or "write myperm" (read/write
getting prefixed to my car). So, in my I would be getting "read clear
log file" but I need "clear log file" instead.

Any comments on what's wrong?

Much thanks.

"Philippe Lacoude" wrote:

> Without the broken link: