Sign in with
Sign up | Sign in
Your question

Anyone know how to Use DSACLS to add perms to Machine acco..

Last response: in Windows 2000/NT
Share
April 21, 2005 4:03:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

I am read all the examples put the perms listed are not specific to machine
account perms like
Write Validate Host Name etc.
Anyone have a good example on how to use DSACLS aside from the standard cut
and dry and way too limited ones.

Thanks
Anonymous
a b 8 Security
April 21, 2005 9:51:09 PM

Archived from groups: microsoft.public.win2000.security (More info?)

It is pretty much the same process for all perms. What exactly are you trying to
accomplish?

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Talon wrote:
> I am read all the examples put the perms listed are not specific to machine
> account perms like
> Write Validate Host Name etc.
> Anyone have a good example on how to use DSACLS aside from the standard cut
> and dry and way too limited ones.
>
> Thanks
April 25, 2005 3:23:02 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Hi Joe,

I am trying to add perms to a Machine Account Object for a Specific User to
allow them to Join the specific machine. Perms are as follows. But I see no
mention of such perms in DSACLS help anywhere.
Reset Password
Validated write to DNS host name
Validated write to service principal name
Write Account Restrictions

Supposedly By default, the user or group is only given the Read, Read Public
Information, Read Personal Information, and Read Account Restrictions
permissions

Thanks


"Joe Richards [MVP]" wrote:

> It is pretty much the same process for all perms. What exactly are you trying to
> accomplish?
>
> joe
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Talon wrote:
> > I am read all the examples put the perms listed are not specific to machine
> > account perms like
> > Write Validate Host Name etc.
> > Anyone have a good example on how to use DSACLS aside from the standard cut
> > and dry and way too limited ones.
> >
> > Thanks
>
Anonymous
a b 8 Security
April 26, 2005 3:56:56 PM

Archived from groups: microsoft.public.win2000.security (More info?)

Those are either "extended-rights" or "property sets". They aren't anything
special about dsacls, they are an AD thing, you just have to understand the AD
security model and once there, the help from dsacls makes more sense.

You can list all "extended-rights" and "property sets" in the extended-rights
container of the config container. Far below I have listed the whole set of
those items listed in that container, make note of the case of each string as it
is important.

You can determine what is an "extended-right" versus a "property set" by looking
at the validAccesses attribute on the objects. See

http://msdn.microsoft.com/library/default.asp?url=/libr...


"Property sets" and "extended-rights" are kind of cool but it seems, IMO, that
MS only half-heartedly implemented them, they could do some very cool things
very easily but they dropped the ball I think. Additionally they are tougher to
work with in an ACL model that is already a bit involved. Trust me when I say
that DSACLS is much simpler to do this stuff than dealing with the ACLs directly
with script or code but not as easy as the GUI. Still DSACLS has its own issues
as well. One of the most annoying I have run into is that you need to be exact
on case or you will experience a parameter error.



Anyway, "property sets" can have WP (Write property),WS (Write Self), or RP
(Read Property) set on them depending on the type of set - validated writes for
instance take WS. "Extended-rights" can only have CA (Control Access) set on them.

So for instance to set "Reset Password" you need to set CA on the specific object.

dsacls <somedn> /I:T /G "<somedomain\somegroup>:CA;Reset Password;"


but setting "Validated Write to DNS host name" would be like

dsacls <somedn> /I:T /G "<somedomain\somegroup>:WS;Validated write to DNS host
name;"

and setting Write on "Account Restrictions" is handled like

dsacls <somedn> /I:T /G "<somedomain\somegroup>:WP;Account Restrictions;"


Of course you can "usually" slap multiple permissions together onto a single
command line with a

dsacls <somedn> /I:T /G "secprin:access;perm" "secprin:access;perm"
"secprin:access;perm" "secprin:access;perm" "secprin:access;perm" etc...

Occasionally you will hit something that it won't let you put together and you
may even have opportunity to see a crash of dsacls which I have seen on a couple
of occasions when linking up ACL updates like that.


With that info, you should be able to put together the appropriate command line
to set a computer object to allow someone specific to join it.




All objects in the Extended rights container. Again to determine what type of
objects they are, look at the validAccesses attribute.


F:\DEV\cpp\NetSess>adfind -config -rb cn=extended-rights displayname -nodn
-nolabel -sort displayname

AdFind V01.26.00cpp Joe Richards (joe@joeware.net) February 2005

Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=joe,DC=com

Account Restrictions
Add GUID
Add PF to admin group
Add/Remove Replica In Domain
Add/Remove self as member
Administer information store
Allocate Rids
Allowed to Authenticate
Apply Group Policy
Change Domain Master
Change Infrastructure Master
Change Password
Change PDC
Change Rid Master
Change Schema Master
Check Stale Phantoms
Create Inbound Forest Trust
Create named properties in the information store
Create public folder
Create top level public folder
DNS Host Name Attributes
Do Garbage Collection
Domain Administer Server
Domain Password & Lockout Policies
Enable Per User Reversibly Encrypted Password
Enroll
Enumerate Entire SAM Domain
Exchange administrator
Exchange full administrator
Exchange public folder read-only administrator
Exchange public folder service
Execute Forest Update Script
General Information
Generate Resultant Set of Policy (Logging)
Generate Resultant Set of Policy (Planning)
Group Membership
Logon Information
Mail-enable public folder
Manage Replication Topology
Migrate SID History
Modify public folder ACL
Modify public folder admin ACL
Modify public folder deleted item retention
Modify public folder expiry
Modify public folder quotas
Modify public folder replica list
Monitor Active Directory Replication
Open Address List
Open Connector Queue
Open mail send queue
Other Domain Parameters (for use by SAM)
Peek Computer Journal
Peek Dead Letter
Peek Message
Personal Information
Phone and Mail Options
Public Information
Query Self Quota
Read metabase properties
Reanimate Tombstones
Recalculate Hierarchy
Recalculate Security Inheritance
Receive As
Receive Computer Journal
Receive Dead Letter
Receive Journal
Receive Message
Refresh Group Cache for Logons
Remote Access Information
Remove PF from admin group
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Reset Password
Send As
Send Message
Send To
Unexpire Password
Update Password Not Required Bit
Update Schema Cache
Validated write to DNS host name
Validated write to service principal name
View information store status
Web Information

85 Objects returned


--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Talon wrote:
> Hi Joe,
>
> I am trying to add perms to a Machine Account Object for a Specific User to
> allow them to Join the specific machine. Perms are as follows. But I see no
> mention of such perms in DSACLS help anywhere.
> Reset Password
> Validated write to DNS host name
> Validated write to service principal name
> Write Account Restrictions
>
> Supposedly By default, the user or group is only given the Read, Read Public
> Information, Read Personal Information, and Read Account Restrictions
> permissions
>
> Thanks
>
>
> "Joe Richards [MVP]" wrote:
>
>
>>It is pretty much the same process for all perms. What exactly are you trying to
>>accomplish?
>>
>> joe
>>
>>--
>>Joe Richards Microsoft MVP Windows Server Directory Services
>>www.joeware.net
>>
>>
>>Talon wrote:
>>
>>>I am read all the examples put the perms listed are not specific to machine
>>>account perms like
>>>Write Validate Host Name etc.
>>>Anyone have a good example on how to use DSACLS aside from the standard cut
>>>and dry and way too limited ones.
>>>
>>>Thanks
>>
!