HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory (265399)


The information in this article applies to:

  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
This article was previously published under Q265399

IN THIS TASK

This step-by-step article describes how to modify Active Directory object attributes. The example in this article changes the defaultSecurityDescriptor attribute of the Organizational Unit object to remove the Read permission from the members of the Authenticated Users group.

Caution Microsoft recommends that you use caution if you modify the Active Directory schema. This operation is an advanced operation that is best performed programmatically by experienced programmers and system administrators. For detailed information about how to modify the Active Directory schema, see the Active Directory Programmer's Guide. To do so, visit the following Microsoft Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/adsi/active_directory.asp

back to the top

Enable Write Operations to Schema

  1. Log on to your computer with an account that is a member of the Schema Administrators group.
  2. Install the Active Directory Schema snap-in. To do so, double click the I386\Adminpak.msi file on your Windows 2000 Server CD-ROM. For more information about how to install the Active Directory schema snap-in, visit the following Microsoft Web site:

    http://www.microsoft.com/windows2000/en/server/help/schmmgmt_install_snapin.htm

    Note If you cannot install the Administration Pack from the Windows 2000 Server CD-ROM, copy the Adminpak.msi file to your desktop, and then double-click the Adminpak.msi file.

    For additional information about the Administration Pack, click the following article number to view the article in the Microsoft Knowledge Base:

    314978 How to use Adminpak.msi to install a specific server administration tool in Windows

  3. To start the Active Directory Schema snap-in, click Start, click Run, type schmmgmt.msc in the Open box, and then press ENTER.
  4. Right-click Active Directory Schema, and then click Operations Master.
  5. Click to select the The Schema may be modified on this Domain Controller check box, and then click OK.
back to the top

Modify the Security Descriptor Attribute

  1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to Tools, and then click ADSI Edit.

    Note To install Windows 2000 Support Tools, double-click Setup.exe in the Support\Tools folder on your Windows 2000 Server CD-ROM.
  2. In ADSI Editor, expand the Schema naming context, and then click the CN=Schema,CN=Configuration,DC=DomainName,DC=com node.
  3. In the right pane, right-click CN=Organizational-Unit, and then click Properties. This opens the CN=Organizational-Unit Properties dialog box.
  4. In the Select which properties to view box, click Optional.
  5. In the Select a property to view box, click defaultSecurityDescriptor.
  6. Right-click in the Value(s) box, and then click Select All. Press CTRL+C to copy the string.
  7. Start Notepad, and then click Paste on the Edit menu.
  8. Examine the content. Locate, and then delete the following string:

    (A;;RPLCLORC;;;AU)

    .
  9. Press CTRL+A to select the whole contents, press CTRL+C to copy it, and then press CTRL+V to put the contents into the Edit Attribute box in the CN=Organizational-Unit Properties dialog box. Click Set, and then click OK.
  10. In the Active Directory Schema snap-in, right-click Active Directory Schema, and then click Reload the schema. Quit the Active Directory Schema snap-in.
back to the top

REFERENCES

321476 How to Change the Default Permissions on Group Policy Objects in Windows 2000

back to the top
Modification Type:MajorLast Reviewed:8/14/2006
Keywords:kbhowto KB265399
©2004 Microsoft Corporation. All rights reserved.