Wednesday, January 20, 2010
So you want to assign DEFAULT permissions to active directory objects…
You will also need to install the administrative tools on your machine (adminpak.msi from the server’s c:\windows\system32 directory or download from Microsoft here: http://www.microsoft.com/downloads/details.aspx?FamilyID=e487f885-f0c7-436a-a392-25793a25bad7&DisplayLang=en
After installing the administrative tools, you will have all the default active directory tools on your desktop, but no tool for schema. You will need to create a new MMC console (go to the run line, type mmc, and press enter) and then add the Schema snap-in (file to add/remove snap-in, click add, choose Active Directory Schema).
Then you will need to open the classes object and find the object class you are looking for. Users are easy (it’s called users) and Group Policy Objects are too (They are called groupPolicyContainers). In the properties for the object, there is a default security tab which you can use to set the default permissions for new objects based upon this schema class. However, you won’t see the change until (a) you restart the Netlogon service and (b) this has replicated to all the domain controllers in your forest. You can make these permissions apply to existing objects by going to the security tab of an AD object, going to advanced, and clicking default, which will set the local permissions to the schema default values. Good Luck!!!