Home
Topics
Microsoft Active Directory
Microsoft Active Directory Design and Administration
Change default ACL for Active Directory objects

Change default ACL for Active Directory objects

Guillaume Langlois

By default, all Windows 2000 users are allowed to modify their personal info (telephone number and such) in Active Directory. You cannot easily deny them this right by using AD Users and Computers, since the permissions to modify these attributes are not inherited -- they are applied directly on each individual object.

Many other AD objects have default ACLs (access control lists) that bypass inheritance. It is possible to modify the default ACL that is created upon creation of a new AD object.

NOTE: This procedure involves schema modifications. Please be sure you know what you are doing before attempting to modify the schema.

At the command prompt, type: regsvr32 schmmgmt.dll. This will register the schema management snap in.

At the command prompt, type: MMC.

In the console, press CTRL-M, click ADD and add the "Active Directory Schema" snap-in. Press Close, and then OK.

In the left pane, right click on "Active Directory Schema" and select "Operations Master". Make sure the snap-in is currently connected to the schema master and that the check box allowing the schema to be modified is checked.

In the left pane, you will see 2 folders: Attributes and Classes. Select "Classes."

In the right pane, find the object class of which you wish to modify the default ACL, and open its property sheet. Switch to the "Security" tab.

You are now looking at the default ACL. If you modify it,

Requires Free Membership to View

By submitting you agree to receive email communications from
TechTarget and its partners. Privacy Policy Terms of Use.

wait around 15 minutes, and any new object of that class that will be created will have your new default ACL.
More News and Tutorials
- Articles
  
  Creating a schema for a new Active Directory domain
  
  you'll get an overview...">Security functions of common Active Directory tools
  
  you'll get an overview...">Security functions of common Active Directory tools
  
  Changes coming to Active Directory
  
  Tool diagnoses Active Directory schema problems
- Default users for new database
  
  Allowing schema changes to take place
  
  Changes to Active Directory: Windows Server 2003 SP1
  
  Copy ACLs with files
  
  Domino on the iSeries: Changing an ACL when you don't have access
- Related glossary terms
  
  Terms for Whatis.com - the technology online dictionary
  
  Active Directory forest (AD forest)
  
  VPN Reconnect
  
  Active Directory tree (AD tree)
  
  DCPromo (Domain Controller Promoter)
  
  transitive trust
  
  Active Directory domain (AD domain)
  
  Active Directory
This was first published in December 2001

Join the conversationComment

Comments

Results

Contribute to the conversation

All fields are required. Comments will appear at the bottom of the article.

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.

Latest Headlines

Featured

E-Books

E-Zines

E-Handbooks

Topics

Hot Topics

Guides

Technology Dictionary

Tips

Ask a Question

Videos and Podcasts

Research Library

Product Demos

Resource Centers

Blogs

Conferences

Seminars

Change default ACL for Active Directory objects

Requires Free Membership to View

More News and Tutorials

Articles

Related glossary terms

Join the conversationComment

Share

Comments

Results

Contribute to the conversation

You May Also Be Interested In...

More Background

More Details

More from Related TechTarget Sites