Problem solve Get help with specific problems with your technologies, process and projects.

Change default ACL for Active Directory objects

It is possible to modify the default ACL that is created upon creation of a new Active Directory object. Here is the step-by-step process.

By default, all Windows 2000 users are allowed to modify their personal info (telephone number and such) in Active Directory. You cannot easily deny them this right by using AD Users and Computers, since the permissions to modify these attributes are not inherited -- they are applied directly on each individual object.

Many other AD objects have default ACLs (access control lists) that bypass inheritance. It is possible to modify the default ACL that is created upon creation of a new AD object.

NOTE: This procedure involves schema modifications. Please be sure you know what you are doing before attempting to modify the schema.

  • At the command prompt, type: regsvr32 schmmgmt.dll. This will register the schema management snap in.

  • At the command prompt, type: MMC.

  • In the console, press CTRL-M, click ADD and add the "Active Directory Schema" snap-in. Press Close, and then OK.

  • In the left pane, right click on "Active Directory Schema" and select "Operations Master". Make sure the snap-in is currently connected to the schema master and that the check box allowing the schema to be modified is checked.

  • In the left pane, you will see 2 folders: Attributes and Classes. Select "Classes."

  • In the right pane, find the object class of which you wish to modify the default ACL, and open its property sheet. Switch to the "Security" tab.

    You are now looking at the default ACL. If you modify it, wait around 15 minutes, and any new object of that class that will be created will have your new default ACL.

  • Dig Deeper on Microsoft Active Directory Design and Administration