Managing Authorization in ADAM

  • Article

Applies To: Windows Server 2003 R2

Authorization refers to the process of determining which users have access to which directory objects. As with Active Directory, access control lists (ACLs) on each directory object determine which users have access to that object. By default, the only ACLs in ADAM reside in the top-level container of each directory partition. All objects in a given directory partition inherit these ACLs. Using the Dsacls.exe command-line tool, you can view and modify the default ACLs in ADAM, and you can add additional ACLs. In the following exercises, you view and modify ADAM ACLs.

Note

You may have directory-enabled applications that implement their own custom authorization schemes. These applications generally disregard the ACLs on ADAM directory objects.

Viewing Effective Permissions

In this exercise, you view the effective permissions on the o=Microsoft,c=US directory partition.

To view effective permissions

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM Tools Command Prompt.

  2. At the command prompt, type the following, and then press ENTER:

    dsacls \\servername:portnumber\O=Microsoft,C=US

    where servername:portnumber is the computer name and the LDAP communications port of your ADAM instance.

This command lists all the permissions that are currently set on the directory partition object. Your screen should contain output similar to the following:

Access list:
Effective Permissions on this object are:
Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                      SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL
Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                      Replicating Directory Changes
Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                      Replication Synchronization
Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                      Manage Replication Topology
Allow CN=Instances,CN=Roles,CN=Configuration,CN={C98CA450-AC25-4BC1-AC3C-C3BEC88B335E}
                                      Replicating Directory Changes All

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL

The command completed successfully

Granting Permissions

In this exercise, you grant the Delete permission on the ADAM testers group object to the Mary Baker account.

To grant the Delete permission

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM Tools Command Prompt.

  2. At the command prompt, type the following:

    dsacls “\\servername:portnumber\CN=ADAM testers,OU=ADAM users,O=Microsoft,C=US” /G “CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US”:SD;;

    where servername:portnumber represents the computer name and LDAP communications port of your ADAM instance. Be sure to use an uppercase G when typing the /G parameter, and use quotation marks as shown.

Your screen should contain output similar to the following:

Access list:
Effective Permissions on this object are:
Allow CN=Mary Baker,OU=ADAM users,O=Microsoft,C=US
                                      SPECIAL ACCESS
                                      DELETE
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

The command completed successfully

Denying Permissions

In this exercise, you deny Delete permissions for the currently logged on user in the ADAM testers group. This is done in two phases:

  • Deny delete permissions on the parent container of the ADAM testers group

  • Deny delete permissions on the group itself

To deny the Delete permissions on the parent container of a group

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM Tools Command Prompt.

  2. To deny the Delete, Delete Child, and Delete Tree permissions on the parent container of the ADAM testers group, which is the ADAM users OU. At the command prompt, type the following:

    dsacls “\\servername:portnumber\OU=ADAM users,O=microsoft,C=US” /D domain\administrator**:SDDCDT;;**

    where servername:portnumber represents the computer name and LDAP communications port of your ADAM instance, and domain\administrator represents the account with which you are currently logged on. Be sure to use an uppercase D when typing the /D parameter, and use quotation marks as shown.

Your screen should contain output similar to the following:

Access list:
Effective Permissions on this object are:
Deny  domain\account                  SPECIAL ACCESS
                                      DELETE
                                      DELETE CHILD
                                      DELETE TREE
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

The command completed successfully

To deny delete permissions on the group

  1. Click Start, point to All Programs, point to ADAM, and then click ADAM Tools Command Prompt.

  2. To deny the Delete permission on the ADAM testers group for the currently logged on user, at the command prompt, type the following:

    dsacls “\\servername:portnumber\CN=ADAM testers,OU=ADAM users,O=microsoft,C=US” /D domain\administrator:SDDCDT;;

    where servername:portnumber represents the computer name and LDAP communications port of your ADAM instance, and domain\administrator represents the account with which you are currently logged on. Be sure to use an uppercase D when typing the /D parameter, and use quotation marks as shown.

Your screen should contain output similar to the following:

Access list:
Effective Permissions on this object are:
Deny  domain\account                  SPECIAL ACCESS
                                      DELETE
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,O=Microsoft,C=US
                                      SPECIAL ACCESS   <Inherited from parent>
                                      READ PERMISSONS
                                      LIST CONTENTS
                                      READ PROPERTY
                                      LIST OBJECT
Allow CN=Administrators,CN=Roles,O=Microsoft,C=US
                                      FULL CONTROL   <Inherited from parent>

The command completed successfully