Change default ACL for Active Directory objects
By default, all Windows 2000 users are allowed to modify their personal info (telephone number and such) in Active Directory. You cannot easily deny them this right by using AD Users and Computers, since the permissions to modify these attributes are not inherited -- they are applied directly on each individual object.
Many other AD objects have default ACLs (access control lists) that bypass inheritance. It is possible to modify the default ACL that is created upon creation of a new AD object.
NOTE: This procedure involves schema modifications. Please be sure you know what you are doing before attempting to modify the schema.
At the command prompt, type: regsvr32 schmmgmt.dll. This will register the schema management snap in.
At the command prompt, type: MMC.
In the console, press CTRL-M, click ADD and add the "Active Directory Schema" snap-in. Press Close, and then OK.
In the left pane, right click on "Active Directory Schema" and select "Operations Master". Make sure the snap-in is currently connected to the schema master and that the check box allowing the schema to be modified is checked.
In the left pane, you will see 2 folders: Attributes and Classes. Select "Classes."
In the right pane, find the object class of which you wish to modify the default ACL, and open its property
Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.