ADAM - How to add Authenticated Users to Readers group?

This is excerpt from ADAM Help, Administering ADAM, Administering access
control:
Windows security principals

By default, authenticated Windows security principals in ADAM can only read
objects in the schema directory partition. To enable authenticated Windows
security principals to read any other objects, you can assign permissions on
objects to the well-known security ID (SID) authorized user. You can assign
Read permissions for an entire directory partition by making authorized user
a member of the Readers group on that directory partition. Or, you can
assign Read permissions on an object-by-object basis, using dsacls.

>> You can assign Read permissions for an entire directory partition by
making authorized user a member of the Readers group on that directory
partition.



Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have tried
using ADAM ADSI Edit program to add it as member to the
'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
quotation marks but none of them were accepted. Can I really make this
well-known security principal as a member of Readers group?

BTW, I was able to add 'Authenicated Users' to the ACL of my partition root
using dsacls. The dsacls utility recognized it and add it as 'NT
Authority\Authenicated Users' in the ACL.

Try the SID DN syntax:

<SID=S-1-5-11>

Joe K.

"Mann" <mchang@filenet.com> wrote in message
news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
> This is excerpt from ADAM Help, Administering ADAM, Administering access
> control:
> Windows security principals
>
> By default, authenticated Windows security principals in ADAM can only
> read
> objects in the schema directory partition. To enable authenticated Windows
> security principals to read any other objects, you can assign permissions
> on
> objects to the well-known security ID (SID) authorized user. You can
> assign
> Read permissions for an entire directory partition by making authorized
> user
> a member of the Readers group on that directory partition. Or, you can
> assign Read permissions on an object-by-object basis, using dsacls.
>
>>> You can assign Read permissions for an entire directory partition by
> making authorized user a member of the Readers group on that directory
> partition.
>
>
>
> Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
> tried
> using ADAM ADSI Edit program to add it as member to the
> 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
> Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
> Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
> quotation marks but none of them were accepted. Can I really make this
> well-known security principal as a member of Readers group?
>
> BTW, I was able to add 'Authenicated Users' to the ACL of my partition
> root
> using dsacls. The dsacls utility recognized it and add it as 'NT
> Authority\Authenicated Users' in the ACL.
>
>

Thanks a lot. It works!

In fact the brackets are required exactly as you wrote. ADAM changed it to
a foreign security principal but it is not listed under the
"cn=ForeignSecurityPrincipals" container though.

Is this <SID=...> form documented anywhere? I like to know more details
about it. Thanks!!


"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:%23prIp1IQFHA.688@TK2MSFTNGP10.phx.gbl...
> Try the SID DN syntax:
>
> <SID=S-1-5-11>
>
> Joe K.
>
> "Mann" <mchang@filenet.com> wrote in message
> news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
> > This is excerpt from ADAM Help, Administering ADAM, Administering access
> > control:
> > Windows security principals
> >
> > By default, authenticated Windows security principals in ADAM can only
> > read
> > objects in the schema directory partition. To enable authenticated
Windows
> > security principals to read any other objects, you can assign
permissions
> > on
> > objects to the well-known security ID (SID) authorized user. You can
> > assign
> > Read permissions for an entire directory partition by making authorized
> > user
> > a member of the Readers group on that directory partition. Or, you can
> > assign Read permissions on an object-by-object basis, using dsacls.
> >
> >>> You can assign Read permissions for an entire directory partition by
> > making authorized user a member of the Readers group on that directory
> > partition.
> >
> >
> >
> > Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
> > tried
> > using ADAM ADSI Edit program to add it as member to the
> > 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
> > Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users',
'cn=NT
> > Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
> > quotation marks but none of them were accepted. Can I really make this
> > well-known security principal as a member of Readers group?
> >
> > BTW, I was able to add 'Authenicated Users' to the ACL of my partition
> > root
> > using dsacls. The dsacls utility recognized it and add it as 'NT
> > Authority\Authenicated Users' in the ACL.
> >
> >
>
>

http://msdn.microsoft.com/library/de...asp?frame=true

There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID and
SID. SID seems to have the added benefit of creating FSPs on the fly when
needed, but I'm not sure where that is documented. The other special DNs
are documented right next to that topic in MSDN.

HTH,

Joe K.

"Mann" <mchang@filenet.com> wrote in message
news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
> Thanks a lot. It works!
>
> In fact the brackets are required exactly as you wrote. ADAM changed it
> to
> a foreign security principal but it is not listed under the
> "cn=ForeignSecurityPrincipals" container though.
>
> Is this <SID=...> form documented anywhere? I like to know more details
> about it. Thanks!!
>
>

Thanks for your help!!

"Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
in message news:efA$hQTQFHA.2868@TK2MSFTNGP10.phx.gbl...
>
http://msdn.microsoft.com/library/de...asp?frame=true
>
> There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID
and
> SID. SID seems to have the added benefit of creating FSPs on the fly when
> needed, but I'm not sure where that is documented. The other special DNs
> are documented right next to that topic in MSDN.
>
> HTH,
>
> Joe K.
>
> "Mann" <mchang@filenet.com> wrote in message
> news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
> > Thanks a lot. It works!
> >
> > In fact the brackets are required exactly as you wrote. ADAM changed it
> > to
> > a foreign security principal but it is not listed under the
> > "cn=ForeignSecurityPrincipals" container though.
> >
> > Is this <SID=...> form documented anywhere? I like to know more
details
> > about it. Thanks!!
> >
> >
>
>

[DaveMo]

This was very helpful, but I wanted to point odd that you have to add the SID as an ADAM account which is slightly non-intuitive.

Dave