September 2003
Intermediate to advanced
624 pages
15h 49m
English
Content preview from Active Directory CookbookBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
14.11. Changing the Default ACL for an Object Class in the Schema
Problem
You want to change the default ACL for an object class in the schema.
Solution
Using a graphical user interface
Open the Active Directory Schema snap-in.
In the left pane, browse to the class you want to modify.
Right-click on it and select Properties.
Select the Default Security tab.
Use the ACL Editor to change the ACL.
Click OK.
Tip
The Default Security tab is available only in the Windows Server 2003 version of the Active Directory Schema snap-in. See MS KB 265399 for the manual approach that is needed with Windows 2000.
Discussion
Each instantiated object in Active Directory has an associated
structural class that defines a default security descriptor
(
defaultSecurityDescriptor attribute).
When an object is created, the default security descriptor is applied
to it. This, along with inheritable permissions from the parent
container, determines how an object’s security
descriptor is initially defined.
See Also
Recipe 14.12 for comparing the ACL of an object to the default defined in the schema, Recipe 14.13 for resetting the ACL of an object to that defined in the schema, and MS KB 265399 (HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory)