How to modify dssec.dat to get the ACL Editor to display specific attributes
Hi. I'd like to know how to modify dssec.dat file so I can have the ACL Editor display certain attributes that we'd like to use to delegate specific modifications for a service account.
I've noticed that certain attributes have a 0 value assigned, while others have 1 assigned, and still some have 7 assigned. Does anyone know what these are for, and how what value I should be setting these to to have ACL editor show them for us to be able to grant some permissions?
By the way, Microsoft really ought to make it simple to delegate admin tasks and access in Active Directory. So much complicated technology, although powerful, makes this complex, and complexity is the enemy of security.
I could not agree with you more that Microsoft really needs to make delegation of administration so much more easier and manageable.
It requires us to waste so much time learning all these esoteric concepts and ideas just to delegate stuff, not to mention that its virtually impossible to accurately find out who is delegated what access on a single object, let alone the entire domain.
Anyway, to answer your question, here are the meanings of the 3 values -
0 - Display both Read and Write permissions for a property
1 - Display only the Write permissions for a property
2 - Display only the Read permissions for a property
By the way, after you've edited and saved your dssec.dat file, don't forget to close and then re-open the Active Directory Users and Computers Snap-In.
As a security precaution, personally, I always make a copy of the dssec.dat file, in case I end up making an accidental deletion or a mistake.
Thanks for very much for helping me out - this info is exactly what I was looking for.
We've gone ahead and delegated the most common of administrative tasks based on the princple of least rights, and we're feeling quite good about our delegation model.
Only problem is that while it was rather easy to delegate these administrative tasks quite precisely, because I'm not the only controlling access (i.e. there are other admins as well), we have no way of knowing if the delegations we initially made are still the same or whether they may have changed since.
Do you have any input on how to solve this problem as well? i.e. how to find out who is delegated what access in our Active Directory at any point in time?
