Printout Header
LEX RSS Feed

LEX Online Manual Content

Permissions

Menu options: Permissions

This is an option for Active Directory environments only. Actually, it's nothing else than opening the nTSecurityDescriptor attribute of the currently selected object with the appropriate attribute editor.

The edior for nTSecurityDescriptor attributes

The ntSecurityDescriptor attribute which contains the access control list (ACL) is very specific to Microsoft Active Directory environments. So, if you are not connected to an AD directory server, or you cannot access the nTSecurityDescriptor attribute, you cannot use the Edit - Permissions option.

First of all, the security attribute editor presents three different tabs for you:

  • Permissions: Here are the access control entries for the object permissions (Discretioanry Access Control List - DACL)
  • Audit: Here are the access control entries for the object audit (System Access Control List - SACL)
  • Owner: Here are the owner account and the owner group account (the owner of an object is nitially the creator, the owner can always change the permissions of the object).

If you don't see all of these dialog tabs, it might be that you have insufficient rights to access the permission or audit information. To see the DACL permissions, you need to have the Read Control (RC) right. To see the SACL audit information, you need the security policy privilege 'Manage Audit and Security Log'. If LEX detects that you do not have the permissions to access the DACL, you are asked if you want to try taking ownership for the regarding object - the owner can always access the DACL:

Editor for Microsoft Access Control Entries


There are a lot of particular permission flags. In most cases, these flags can be joined together to combinations which are reasonable for daily operation in Active Directory environments. The Permissions Editor shows you directly if some of these combinations are set for the entries in the object ACL. The abbreviations for the often used permission combinations are:
'

F Full permissions.

R Read permissions on the properties which are listed in the 'Scope' column. If this column is empty, R means that all properties can be read, the object and children can be listed and the object permissions can be read.

W Write permissions on the properties which are listed in the 'Scope' column. If this column is empty, W means that all properties can be read, and all the validated rights are granted.

L List children or content of the object.

C Create child permissions: All objects of the type listed in 'Scope' column can be created as children. If this column is empty, then D means that all object classes can be created as children.

D Delete child permissions: All child objects of the type listed in 'Scope' column can be deleted. If this column is empty, then D means that all children can be deleted.

S Special permissions: All permissions which can't be specified with a valid combination of the other often used permissions


If you want to see the detailed view and the settings of all possible permission flags, or if you want to set a special permission, then you have to double-click on one entry. Then the Access Control Entry Editor is shown:

Editor for Microsoft Access Control Entries


Detailed info about the security attribute editor are outlined in the manual topic about Attribute Editors for Microsoft Security Desciptors.

Tweet