Change default ACL for Active Directory objects

By default, all Windows 2000 users are allowed to modify their personal info (telephone number and such) in Active Directory. You cannot easily deny them this right by using AD Users and Computers, since the permissions to modify these attributes are not inherited -- they are applied directly on each individual object.

Many other AD objects have default ACLs (access control lists) that bypass inheritance. It is possible to modify the default ACL that is created upon creation of a new AD object.

NOTE: This procedure involves schema modifications. Please be sure you know what you are doing before attempting to modify the schema.

  • At the command prompt, type: regsvr32 schmmgmt.dll. This will register the schema management snap in.

  • At the command prompt, type: MMC.

  • In the console, press CTRL-M, click ADD and add the "Active Directory Schema" snap-in. Press Close, and then OK.

  • In the left pane, right click on "Active Directory Schema" and select "Operations Master". Make sure the snap-in is currently connected to the schema master and that the check box allowing the schema to be modified is checked.

  • In the left pane, you will see 2 folders: Attributes and Classes. Select "Classes."

  • In the right pane, find the object class of which you wish to modify the default ACL, and open its property
  • Requires Free Membership to View

    There are Comments. Add yours.

    TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

    REGISTER or login:

    Forgot Password?
    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
    Sort by: OldestNewest

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.