You want to change the default ACL for an object class in the schema.
Open the Active Directory Schema snap-in.
In the left pane, browse to the class you want to modify.
Right-click on it and select Properties.
Select the Default Security tab.
Use the ACL Editor to change the ACL.
The Default Security tab is available only in the Windows Server 2003 version of the Active Directory Schema snap-in. See MS KB 265399 for the manual approach that is needed with Windows 2000.
Each instantiated object in Active Directory has an associated
structural class that defines a default security descriptor
When an object is created, the default security descriptor is applied
to it. This, along with inheritable permissions from the parent
container, determines how an object’s security
descriptor is initially defined.