Go Back   TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Become a Member!
Forgot your username/password?
Tags Active Topics RSS Search Mark Forums Read

Sponsored Links



ADAM - How to add Authenticated Users to Readers group?

Active Directory


Reply
 
Thread Tools Search this Thread
  #1  
Old 14-04-2005
Mann
 
Posts: n/a
ADAM - How to add Authenticated Users to Readers group?

This is excerpt from ADAM Help, Administering ADAM, Administering access
control:
Windows security principals

By default, authenticated Windows security principals in ADAM can only read
objects in the schema directory partition. To enable authenticated Windows
security principals to read any other objects, you can assign permissions on
objects to the well-known security ID (SID) authorized user. You can assign
Read permissions for an entire directory partition by making authorized user
a member of the Readers group on that directory partition. Or, you can
assign Read permissions on an object-by-object basis, using dsacls.

>> You can assign Read permissions for an entire directory partition by

making authorized user a member of the Readers group on that directory
partition.



Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have tried
using ADAM ADSI Edit program to add it as member to the
'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
quotation marks but none of them were accepted. Can I really make this
well-known security principal as a member of Readers group?

BTW, I was able to add 'Authenicated Users' to the ACL of my partition root
using dsacls. The dsacls utility recognized it and add it as 'NT
Authority\Authenicated Users' in the ACL.



Reply With Quote
  #2  
Old 14-04-2005
Joe Kaplan \(MVP - ADSI\)
 
Posts: n/a
Re: ADAM - How to add Authenticated Users to Readers group?

Try the SID DN syntax:

<SID=S-1-5-11>

Joe K.

"Mann" <mchang@filenet.com> wrote in message
news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
> This is excerpt from ADAM Help, Administering ADAM, Administering access
> control:
> Windows security principals
>
> By default, authenticated Windows security principals in ADAM can only
> read
> objects in the schema directory partition. To enable authenticated Windows
> security principals to read any other objects, you can assign permissions
> on
> objects to the well-known security ID (SID) authorized user. You can
> assign
> Read permissions for an entire directory partition by making authorized
> user
> a member of the Readers group on that directory partition. Or, you can
> assign Read permissions on an object-by-object basis, using dsacls.
>
>>> You can assign Read permissions for an entire directory partition by

> making authorized user a member of the Readers group on that directory
> partition.
>
>
>
> Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
> tried
> using ADAM ADSI Edit program to add it as member to the
> 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
> Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
> Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
> quotation marks but none of them were accepted. Can I really make this
> well-known security principal as a member of Readers group?
>
> BTW, I was able to add 'Authenicated Users' to the ACL of my partition
> root
> using dsacls. The dsacls utility recognized it and add it as 'NT
> Authority\Authenicated Users' in the ACL.
>
>



Reply With Quote
  #3  
Old 14-04-2005
Mann
 
Posts: n/a
Re: ADAM - How to add Authenticated Users to Readers group?

Thanks a lot. It works!

In fact the brackets are required exactly as you wrote. ADAM changed it to
a foreign security principal but it is not listed under the
"cn=ForeignSecurityPrincipals" container though.

Is this <SID=...> form documented anywhere? I like to know more details
about it. Thanks!!


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23prIp1IQFHA.688@TK2MSFTNGP10.phx.gbl...
> Try the SID DN syntax:
>
> <SID=S-1-5-11>
>
> Joe K.
>
> "Mann" <mchang@filenet.com> wrote in message
> news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
> > This is excerpt from ADAM Help, Administering ADAM, Administering access
> > control:
> > Windows security principals
> >
> > By default, authenticated Windows security principals in ADAM can only
> > read
> > objects in the schema directory partition. To enable authenticated

Windows
> > security principals to read any other objects, you can assign

permissions
> > on
> > objects to the well-known security ID (SID) authorized user. You can
> > assign
> > Read permissions for an entire directory partition by making authorized
> > user
> > a member of the Readers group on that directory partition. Or, you can
> > assign Read permissions on an object-by-object basis, using dsacls.
> >
> >>> You can assign Read permissions for an entire directory partition by

> > making authorized user a member of the Readers group on that directory
> > partition.
> >
> >
> >
> > Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
> > tried
> > using ADAM ADSI Edit program to add it as member to the
> > 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
> > Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users',

'cn=NT
> > Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
> > quotation marks but none of them were accepted. Can I really make this
> > well-known security principal as a member of Readers group?
> >
> > BTW, I was able to add 'Authenicated Users' to the ACL of my partition
> > root
> > using dsacls. The dsacls utility recognized it and add it as 'NT
> > Authority\Authenicated Users' in the ACL.
> >
> >

>
>



Reply With Quote
  #4  
Old 15-04-2005
Joe Kaplan \(MVP - ADSI\)
 
Posts: n/a
Re: ADAM - How to add Authenticated Users to Readers group?

http://msdn.microsoft.com/library/de...asp?frame=true

There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID and
SID. SID seems to have the added benefit of creating FSPs on the fly when
needed, but I'm not sure where that is documented. The other special DNs
are documented right next to that topic in MSDN.

HTH,

Joe K.

"Mann" <mchang@filenet.com> wrote in message
news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
> Thanks a lot. It works!
>
> In fact the brackets are required exactly as you wrote. ADAM changed it
> to
> a foreign security principal but it is not listed under the
> "cn=ForeignSecurityPrincipals" container though.
>
> Is this <SID=...> form documented anywhere? I like to know more details
> about it. Thanks!!
>
>



Reply With Quote
  #5  
Old 15-04-2005
Mann
 
Posts: n/a
Re: ADAM - How to add Authenticated Users to Readers group?

Thanks for your help!!

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:efA$hQTQFHA.2868@TK2MSFTNGP10.phx.gbl...
>

http://msdn.microsoft.com/library/de...asp?frame=true
>
> There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID

and
> SID. SID seems to have the added benefit of creating FSPs on the fly when
> needed, but I'm not sure where that is documented. The other special DNs
> are documented right next to that topic in MSDN.
>
> HTH,
>
> Joe K.
>
> "Mann" <mchang@filenet.com> wrote in message
> news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
> > Thanks a lot. It works!
> >
> > In fact the brackets are required exactly as you wrote. ADAM changed it
> > to
> > a foreign security principal but it is not listed under the
> > "cn=ForeignSecurityPrincipals" container though.
> >
> > Is this <SID=...> form documented anywhere? I like to know more

details
> > about it. Thanks!!
> >
> >

>
>



Reply With Quote
  #6  
Old 13-10-2007
Member
 
Join Date: Oct 2007
Posts: 1
This was very helpful, but I wanted to point odd that you have to add the SID as an ADAM account which is slightly non-intuitive.

Dave
Reply With Quote
Reply

  TechArena Community > Technical Support > Computer Help > Windows Server > Active Directory
Tags: , , ,



Thread Tools Search this Thread
Search this Thread:

Advanced Search


Similar Threads for: "ADAM - How to add Authenticated Users to Readers group?"
Thread Thread Starter Forum Replies Last Post
How to Export users from the Domain Users group into another Sec G manishdk Active Directory 6 30-11-2011 11:54 PM
"Event Log Readers" group for domain controllers etienne Active Directory 2 27-11-2010 06:40 PM
Different between Authenticated Users and Everyone when all are accessed to share folder Aadimoolan Windows Security 1 20-09-2008 11:29 AM
Allowing file share browsing for un-authenticated users Nonapeptide@gmail.com Windows Server Help 9 19-06-2008 10:59 AM
Authenticated Users Steve Furniss Windows Server Help 2 02-08-2005 09:42 PM


All times are GMT +5.5. The time now is 03:14 AM.