Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: Granting permissions in ADAM

620 views
Skip to first unread message

Lee Flight

unread,
Dec 12, 2006, 6:53:45 PM12/12/06
to
Hi

to grant read access to users a good first pass is to add the ADAM Users
role (or users group that you may have created) to the ADAM Readers role.

To allow the user to update their own information you can grant NT
AUTHORITY\SELF
principal Read Property and Write Property access to either specific
attributes or a property set e.g. personal information. It's best to choose
a suitable point in the directory tree, say the root of the a users part of
the tree and then grant the Users role (or group
of your own) List Contents on that container and grant inheritable
permissions for the SELF principal on the child object attributes. It's
difficult to give generic examples
but something like:

dsacls \\localhost:389\ou=users,o=myorg /G "cn=users,cn=roles,o=myorg":LC

for List Contents if your users are below ou=users,o=myorg and then

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;;" /I:T

or for say just the properties in the personal information property set

dsacls \\localhost:389\ou=users,o=myorg /G "NT AUTHORITY\SELF:RPWP;personal
information;" /I:T


as always try these things in a test environment first.

Hope that helps
Lee Flight

"abhi_chow" <abhi...@discussions.microsoft.com> wrote in message
news:25E3C70B-FA1E-4996...@microsoft.com...
> Hi,
> To Grant/Deny permissions in ADAM, we need to use dsacls.exe command in
> the
> ADAM command prompt.
> I need to provide permissions such that barring Administrators, all other
> users should have write permisssions on only one's own attributes and only
> READ permissions on the attributes of other users.
> Can you please help me in regard to what command should be used in this
> case?
> Any help will be highly appreciated.
>
> Thanks in advance!
> Abhishek.


abhi_chow

unread,
Dec 13, 2006, 4:20:00 PM12/13/06
to
Thanks Lee. That helped.
Is there a way we can grant or deny permissions to an IP address instead of
user / group DN or SID ?

When I try giving the IP-Address then it throws an error, "No Sid found for
<IP-Adress>.

Thanks,
Abhi

Joe Kaplan

unread,
Dec 13, 2006, 4:35:09 PM12/13/06
to
No, you can't do that. ADAM grants rights based on security principals.
You'd need to do IP address restrictions with a firewall, although the built
in one in Windows should work for that if you want to use it.

In order to do this with ADAM ACLs, you would most likely want to apply the
ACLs based on the identity of the Windows service account that will run the
web application (unless you are using impersonation/delegation; then it gets
very complex). For example, if you run a web app as NETWORK SERVICE on
MACHINEA, then you would do ACLs based on the domain SID for the MACHINEA
computer account in AD. If the web server is not in a domain, this will
likely get icky, so hopefully you won't try to make that work.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--


"abhi_chow" <abhi...@discussions.microsoft.com> wrote in message

news:802F580E-F4C8-45E0...@microsoft.com...

Javier2893

unread,
Dec 18, 2006, 1:11:02 PM12/18/06
to
Hi,
My name is Javier and I am new on this ADAM stuff, I was able to sync my ad
to adam and do queuries with the admin account. However when I try to query
the ADAM instance I get access denied using the wab.exe program in windows.
saw your posting and read the answer from Lee and execute his commands but
they are not working.
I need to add the Users directory to the readers role so my users can query
the ADAM instance.
Can you help with the proper command to give the users the proper permissions?
Any help is highly appreciated.
Javier

Lee Flight

unread,
Dec 19, 2006, 5:09:26 AM12/19/06
to
Hi

The commands posted are examples of how you might restrict access so that
only an ADAM user could update their own object.

For an address book the standard permissions on the ADAM Readers role for
the application partition are probably all you need.

So if you are binding to the address book with ADAM users then add the
cn=users,cn=roles,<application partition name here>
role to the
cn=Readers,cn=Roles,<application partition name here>
role.

If you also need to allow windows/domain users to query the address book add
the
(NTAUTHORITY) windows

Authenticated Users

group to the Readers role. See "Add or remove members to or from an ADAM
group"
in the ADAM Help.


Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message
news:8D2BFA21-2F21-4867...@microsoft.com...

Javier2893

unread,
Dec 19, 2006, 2:56:01 PM12/19/06
to
Hi Lee,
Was able to excute the command:

this is my output:
C:\WINDOWS\ADAM>dsacls
\\localhost:389\cn=users,cn=roles,dc=synctargetdc,dc=com
/G "cn=Readers,CN=Roles,dc=synctargetdc,dc=com":LC
Owner: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
Group: CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com

Access list:
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS
LIST CONTENTS
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow CN=Administrators,CN=Roles,DC=SyncTargetDC,DC=com
FULL CONTROL <Inherited from parent>

The command completed successfully
Then I try to add the authenticated user to the readers group and it comes
with the following error:
A directory service error has occurred.
Any help,
Thanks,
Javier

Lee Flight

unread,
Dec 19, 2006, 3:42:41 PM12/19/06
to
Hi

the dsacls command is not required here it was an example for the discussion
that
started this thread as before the standard Readers permissions should be
adequate
as the output of dsacls shows below.

To add Authenticated Users to the Readers role you can use ADSIEdit,
bring up the properties of
CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com

edit the member attribute, Add Windows Account... type Authenticated
and then hit check names - that should give you Authenticated Users then
OK...

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:CBD078B1-B390-407B...@microsoft.com...

Javier2893

unread,
Dec 19, 2006, 4:05:00 PM12/19/06
to
Hi Lee,
Did that, using ADSIEdit brought up my settings:
CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
Right click on the readers and choose the member option click on add windows
account type authenticated users and choose the computer that has ADAM
installed.
searches and find the Authenticated Users NTAUTHORITY container with the SID
number and all. When I click on Ok to apply the changes comes up with the a
directory service error has occurred.
Any toughts on that error?
thanks,

Lee Flight

unread,
Dec 19, 2006, 4:58:24 PM12/19/06
to
Hi

it's difficult to know what would cause that, are you able to add any other
groups successfully? Are you using an ADAM administrator account?

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:9A9158AA-6CA3-4CCE...@microsoft.com...

Javier2893

unread,
Dec 20, 2006, 9:43:00 AM12/20/06
to
yes, I am using and ADAM admin to do this step.
As a matter of fact it is the only account that can query the address book.
I try to add another group to the Readers roles using the ADSIedit but it
comes down with the same error:
A directory service error has occurred. have another instance that I was
able to sync and then following the steps from Eric modify my XML file to
convert my users into proxy users the command completed successfully. and I
noticed that my windows account has the userproxy title and I was able to add
that account in particular to the Readers role. However when I try to add any
other account it comes down with the following error:
The attribute cannot be modified because it is owned by the system.
These are two different instances running on two different windows 2003
standalone servers and part of my domain.
Hope you seen this before,

Lee Flight

unread,
Dec 20, 2006, 3:20:28 PM12/20/06
to
Hi

I have not seen this kind of problem before. The attribute owned
by the system error -- was it really the member attribute that you were
trying to update (not say memberof)?

Maybe we can get some more information if you try using an ldf file
to add the Authenticated Users group to the Readers role. Create an
ldf file containing

dn: CN=Readers,CN=Roles,DC=SyncTargetDC,DC=com
changetype: modify
add: member
member:: PFNJRD1TLTEtNS0xMT4=
-

save as authusers.ldf and import with

ldifde -i -f authusers.ldf -s <adamserver>:<adamport>

What happens? You might want to create yourself a clean ADAM
instance for testing this.

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:51425FB1-24B2-46FC...@microsoft.com...

>> >> CN=Readers,CN=Roles,c

Javier2893

unread,
Dec 20, 2006, 4:13:01 PM12/20/06
to
Hi Lee,
Did that and this is the output, brand new instance.
C:\WINDOWS\ADAM>ldifde -i -f authusers.ldf -s localhost:389
Connecting to "localhost:389"
Loggin in as current user using SSPI
Importing directory from file "authusers.ldf"
Loading entries.
Add error on line 11: Operations Error
The server side error is: 0x2095 A directory service error has occurred.
The extended server error is:
00002095: SvcErr: DSID-032A08FC, problem 5012 (DIR_ERROR), data 6

0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please specify
the log file path via the -j option.
One more question sorry to be a pain about this adam thing but I know I am
close to get this one going.
Here it is, if you follow the instructions on how to configure your Wab.exe
to be query they tell you to add the following info:
General Tab:
Server name: myserver
Check the: this server requires me to log on
Account name: domain/account
Password: mypassword
Check the: Lo on using Secure Password Authentication
Advance Tab:
Search base: DC=synctargetdc,DC=com
Check the: Use simple search filter
the configuration above works with the account used to install adam, if I
create an ADAM user how should I configure my settings on my windows address
book?

Javier2893

unread,
Dec 21, 2006, 9:07:01 AM12/21/06
to
Hi Lee,
Hope you have the time to check my post from yesterday, I entered the output
of the step you told me to perform.
Thanks,
javier

Lee Flight

unread,
Dec 21, 2006, 6:20:54 PM12/21/06
to
Hi

I got help decoding the DSID error (thanks Dmitri) and that gave me a hint
how to
repro your problem.

I believe that the problem is that ADAMSync is syncing the
ForeignSecurityPrincipals
container from AD, unfortunately the way that it does this is not usable in
your ADAM
instance[1]. This is significant because the attempt to add Authenticated
Users to the Readers role makes use of the FSP container.

As a workaround I would try removing the
CN=ForeignSecurityPrincipals,DC=SyncTargetDC,DC=com
container from your ADAM application partition and then
try adding the Authenticated Users to the Readers Role again.
That should create a usable FSP container for you.

As ever try this in a test instance,
Lee Flight

[1] the wellKnownObjects attribute on the NC head is not updated
to add the reference to the FSP.

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:D6ED91FB-09A9-4BB3...@microsoft.com...

Javier2893

unread,
Dec 27, 2006, 12:48:00 PM12/27/06
to
Hi Lee,
after I removed the ForeignSecurityPrincipals folder I was able to add the
authenticated users groups to my adam readers, so that solved the problem
because all I need is for some people to query the Windows address book.
Last question,
this is about using one single adam users as an option. let's say I create
an adam user and add that one to the readers group, how should I configure my
settings so I can have the adam user to be able to query the address book?
Thanks and I really appreciate your time and cooperation,

Lee Flight

unread,
Dec 28, 2006, 2:02:59 PM12/28/06
to
Hi

with your ADAM account in the Readers role you should be good to go so I'm
not
sure what asking. If you want to test it using Windows Address Book (WAB)
you
will need to create a directory account in WAB. For the account name use the
distinguishedName of the your ADAM reader account, uncheck the "Log on using
SPA" on the General tab of the directory service in WAB and under Advanced
set the Search base to your application naming context.

If it is WAB that you are planning on using then WAB has lots of issues...
no easy way to distribute account information to clients and WAB no longer
exists in vista.

Lee Flight


"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:968E06DE-C154-4AA0...@microsoft.com...

Javier2893

unread,
Jan 5, 2007, 10:20:00 AM1/5/07
to
Hi Lee, hope you had a good time during the holidays.
Thanks for the info about the ADAM account and WAB. Do you know about any
other program that allows users to perform queries on the ADAM instance?
Something free will be great, for now our users have to use WAB I don't
think there is an upgrade to Vista any time soon.
Thanks again for your time and cooperation,

Lee Flight

unread,
Jan 8, 2007, 9:09:42 AM1/8/07
to
Hi

if WAB does what you want and is supported on your OS then you are OK.
I do not recall any free AB software I have seen some commercial offerings,
I think it's a case of googling to see what you can find or developing your
own.

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:A07D66E8-E830-4214...@microsoft.com...

Javier2893

unread,
Jan 22, 2007, 4:17:01 PM1/22/07
to
Hi Lee,
I would like to ask you a question about transforming users into userproxy's?
Sync my ad with your help of course and follow the instructions on Eric's
website.
modify my xml and re run the sync, check my user properties and trying to
compare the ObjectClass settings I noticed that the userproxy is not in my
objectclass values.
I try to add the the value manually and it comes with the following error:
The specified class is not a subclass.
Here at the exact setting on my XML of course I changed the erictest.local
with my settings:
<?xml version="1.0"?>
<doc>
<configuration>
<description>sample Adamsync configuration file</description>
<security-mode>object</security-mode>
<source-ad-name>erictest.local</source-ad-name>
<source-ad-partition>dc=erictest,dc=local</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain></account-domain>
<target-dn>ou=SyncTargetOU</target-dn>
<query>
<base-dn>dc=erictest,dc=local</base-dn>
<object-filter>(objectCategory=person)</object-filter>
<attributes>
<include>objectSID</include>
<include>sourceObjectGuid</include>
<include>lastAgedChange</include>
<exclude></exclude>
</attributes>
</query>
<user-proxy>
<source-object-class>user</source-object-class>
<target-object-class>userProxy</target-object-class>
</user-proxy>
Thanks and I really appreciate any help on this matter.
Javier2893

Lee Flight

unread,
Jan 23, 2007, 6:45:17 AM1/23/07
to
Hi

we really need a new thread for this question.., anyway
you say "re run the sync" - if you have performed a sync before
from AD into your ADAM application naming context the you
will not be able to transform the objectClass subsequently.
Try creating a clean ADAM instance, extending the schema
with the ms-userproxy.ldf, and running your sync into that
new instance, you should get userProxy objects for your
source users.

Note you cannot add structural classes to objectClass, user and
userProxy are different structural classes so you cannot have
both for an object instance.

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:1FECA681-E56A-404B...@microsoft.com...

Javier2893

unread,
Feb 14, 2007, 10:37:05 AM2/14/07
to
Hi Lee,
I will like to ask you a question about hinding ou's or folders in ADAM. is
there any attribute that you can enable or disable to for example I do have
an OU call service accounts and do not want to be query?
as of today and with your help my ADAM is running properly, I was just
wondering about excluding information during the query.

Lee Flight

unread,
Feb 14, 2007, 7:09:47 PM2/14/07
to
Hi

you can do most things with permissions, ideally you want to have the
directory tree structured in such a way that you can apply inherited allow
permissions at point where you know that objects below that point all
want those permissions.

If you give more detail of your structure we might be able to give options.

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:A2DE23C7-1379-490E...@microsoft.com...

Javier2893

unread,
Feb 15, 2007, 10:13:57 AM2/15/07
to
Hi Lee,
Here is my settings now, createad an adam user and added him to the readers
group, however if I do it this way this users is quering everything. I would
like this user to query only the users folder and another OU that contains
branches information. I syncked all my AD so it looks like this:
Mydomain.com
Biultin
Computers
Disabled Accounts (OU)
Domain Controllers(OU)
Domain Admins(OU)
Foreign Security Principals
LostAndFound
Microsoft Exchange System Objects
MS Exchange(OU) *****
NTDS Quotas
Octel
Programd Data
ServiceAccts(OU)
System
Users*****
I want my adam reader to be able to query only the MS Exchange OU and the
Users folder. I dont know if you can define those two things on the search
base or assign permissions to those to things and prevent the adam user to
read the rest of the directories.
Thank you,

Lee Flight

unread,
Feb 15, 2007, 5:49:50 PM2/15/07
to
Hi

thanks that helps. If that tree is being built by a sync (ADAMsync ?) then
you do not have much scope for restructuring.

What you can try is:

[1] remove your user from the Readers role
[2]create a new group and add your user to that group
[3] grant that group List Children permission on the root of the tree
[4]grant that group Generic Read permission and set inheritance on the OUs
you want
to be searchable

So if your new group is
cn=myreaders,cn=roles,dc=mydom

[3] looks like

dsacls \\localhost:389\dc=mydom /G "cn=myreaders,cn=roles,dc=mydom":LC;;

[4] looks like, for your users OU

dsacls \\localhost:389\ou=users,dc=mydom /G
"cn=myreaders,cn=roles,dc=mydom":GR;; /I:T

that's all one line ignore line wraps.

Note that the user will still be able to see the names of the other OUs
(it's possible but painful to work around that).

As ever, try this in a test ADAM instance first.

Lee Flight

"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:36C2B504-BA54-4347...@microsoft.com...

Javier2893

unread,
Feb 16, 2007, 11:37:17 AM2/16/07
to
Hi Lee
As per your instructions I removed my user from the readers role
Create a new group under the CN=Roles to reflect your example
cn=myreaders,cn=roles,dc=mydom,dc=com
I followed the instructions from the ADSIedit on how to create a new group:
1) select a new value typed myreader(group)
2) In grouptype entered 2147483650 (representing an account group)
Execute the following command:
C:\WINDOWS\ADAM>dsacls \localhost:389\dc=mydom,dc=com /G
"cn=myreaders,cn=roles,
dc=mydom,dc=com":LC;;

Specified operation failed with ldap error:
0000208F: LdapErr: DSID-0C090654, comment: Error processing name,
data
0, vece
Invalid DN Syntax
.
The parameter is incorrect.

The command failed to complete successfully.

Lee Flight

unread,
Feb 19, 2007, 5:07:50 PM2/19/07
to
Hi

looks like you have a naming error check the naming context and group
names in your dsacls command line. If you use a test instance then you
could try just using one of the built in roles e.g. Readers to perfect
your dsacls command lines.

Lee Flight


"Javier2893" <Javie...@discussions.microsoft.com> wrote in message

news:3DF0CCEB-E2C7-438A...@microsoft.com...

0 new messages