Tony your advice was spot on. Changing the values as suggested got me what I wanted.
Now I can add anything I like to the Permissions list in the dialogue box (and, in fact, remove those I don't like!), which means that we can stick with a standard and easily understandable interface. Many thanks, Andy ----- Original Message ----- From: "Tony Murray" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Tuesday, November 12, 2002 10:59 AM Subject: Re: [ActiveDir] Granular permissions : user objects > Not every property of an object is listed in the Active Directory Users and Computers interface. The number of properties is quite large so the interface only displays those that are commonly used for controlling access. This makes the list easier to manage. > > The list of filtered object types and properties is kept in the file, > > %systemroot%\System32\Dssec.dat > > You can modify the behavior of the filter by changing the values associated with the properties. For example, if you wanted to delegate the right to unlock accounts you first need to change the value of the lockoutTime entry in the [user] section of the file from lockoutTime=7 to lockoutTime=0. > > To make the last name property visible, I believe you need to change the value of "sn" in the [user] section of the file from 7 to 0. I have not tested this however. > > You have the following choices to specify values: > > Property=7: The property is not included. > Property=6: "Read property" is included. > Property=5: "Write property" is included. > Property=0: Both "Read property" and "Write property" are included. > The property is not included in DSSec.Dat: Both "Read property" and "Write property" are included. > > You must modify the Dssec.dat file on the computer on which you are running ADUC. It is a good idea to make a copy of the file first before making any changes. > > For further reading on this, please see the following Microsoft documents: > > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn ol/AD/windows2000/deploy/confeat/securead.asp > > http://support.microsoft.com/default.aspx?scid=kb;EN-US;q294952 > > Tony > ---------- Original Message ---------------------------------- > From: "Andy Grafton" <[EMAIL PROTECTED]> > Reply-To: [EMAIL PROTECTED] > Date: Tue, 12 Nov 2002 10:27:17 +0100 > > MessageHi, all. > > Active Directory, Windows 2000, SP3, no exchange prep. > > Please restrain yourselves from asking "*why* do you want to do this?". If > you'd like to know, give me a shout offlist. > > I need to grant permissions for SELF to change the First Name and Last Name > (givenName, sn in LDAP notation) attributes in AD. > > My worry is that in the granular permissions settings for a user object, I > can't see any reference to Last Name (nor Surname, nor or any other > "aliases" I am familiar with). > > I can see and set (amongst the numerous other permissions settings) > Read First Name > Write First Name > Read Middle Name > Write Middle Name > ... even the oh-so-useful ... > Read/Write International ISDN number (others) > > ... but try as I might, I can't find the switch for the Last Name field. > > I can presumably work around it by giving SELF permissions to "Write > Personal Information", and then denying the things which I don't want them > to be able to change, but that doesn't seem very elegant or intuitive. > > Is that the way it should be? > > I've looked in vain for documenation and can't find anything. I've looked > in a couple of other domains and the situation is the same, even when > including Exchange Schema extensions. > > The way I'm getting to the permisisons is via the AD U&C plugin for MMC. > > Right click user object -> properties > security tab > advanced... > add... > SELF > properties tab > > If anyone knows what happened to the Last Name switch, or whether its simply > not supposed to be there, please let me know! > > All the best, > > Andy > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
