Results 1 to 6 of 6

Thread: ADAM - How to add Authenticated Users to Readers group?

  1. 14-04-2005 #1
    Mann Guest

    ADAM - How to add Authenticated Users to Readers group?

    This is excerpt from ADAM Help, Administering ADAM, Administering access
    control:
    Windows security principals

    By default, authenticated Windows security principals in ADAM can only read
    objects in the schema directory partition. To enable authenticated Windows
    security principals to read any other objects, you can assign permissions on
    objects to the well-known security ID (SID) authorized user. You can assign
    Read permissions for an entire directory partition by making authorized user
    a member of the Readers group on that directory partition. Or, you can
    assign Read permissions on an object-by-object basis, using dsacls.

    >> You can assign Read permissions for an entire directory partition by
    making authorized user a member of the Readers group on that directory
    partition.



    Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have tried
    using ADAM ADSI Edit program to add it as member to the
    'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
    Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
    Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
    quotation marks but none of them were accepted. Can I really make this
    well-known security principal as a member of Readers group?

    BTW, I was able to add 'Authenicated Users' to the ACL of my partition root
    using dsacls. The dsacls utility recognized it and add it as 'NT
    Authority\Authenicated Users' in the ACL.


    Reply With Quote Reply With Quote
  2. 14-04-2005 #2
    Joe Kaplan \(MVP - ADSI\) Guest

    Re: ADAM - How to add Authenticated Users to Readers group?

    Try the SID DN syntax:

    <SID=S-1-5-11>

    Joe K.

    "Mann" <mchang@filenet.com> wrote in message
    news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
    > This is excerpt from ADAM Help, Administering ADAM, Administering access
    > control:
    > Windows security principals
    >
    > By default, authenticated Windows security principals in ADAM can only
    > read
    > objects in the schema directory partition. To enable authenticated Windows
    > security principals to read any other objects, you can assign permissions
    > on
    > objects to the well-known security ID (SID) authorized user. You can
    > assign
    > Read permissions for an entire directory partition by making authorized
    > user
    > a member of the Readers group on that directory partition. Or, you can
    > assign Read permissions on an object-by-object basis, using dsacls.
    >
    >>> You can assign Read permissions for an entire directory partition by
    > making authorized user a member of the Readers group on that directory
    > partition.
    >
    >
    >
    > Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
    > tried
    > using ADAM ADSI Edit program to add it as member to the
    > 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
    > Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users', 'cn=NT
    > Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
    > quotation marks but none of them were accepted. Can I really make this
    > well-known security principal as a member of Readers group?
    >
    > BTW, I was able to add 'Authenicated Users' to the ACL of my partition
    > root
    > using dsacls. The dsacls utility recognized it and add it as 'NT
    > Authority\Authenicated Users' in the ACL.
    >
    >


    Reply With Quote Reply With Quote
  3. 14-04-2005 #3
    Mann Guest

    Re: ADAM - How to add Authenticated Users to Readers group?

    Thanks a lot. It works!

    In fact the brackets are required exactly as you wrote. ADAM changed it to
    a foreign security principal but it is not listed under the
    "cn=ForeignSecurityPrincipals" container though.

    Is this <SID=...> form documented anywhere? I like to know more details
    about it. Thanks!!


    "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
    in message news:%23prIp1IQFHA.688@TK2MSFTNGP10.phx.gbl...
    > Try the SID DN syntax:
    >
    > <SID=S-1-5-11>
    >
    > Joe K.
    >
    > "Mann" <mchang@filenet.com> wrote in message
    > news:%230rjrCIQFHA.3544@TK2MSFTNGP12.phx.gbl...
    > > This is excerpt from ADAM Help, Administering ADAM, Administering access
    > > control:
    > > Windows security principals
    > >
    > > By default, authenticated Windows security principals in ADAM can only
    > > read
    > > objects in the schema directory partition. To enable authenticated
    Windows
    > > security principals to read any other objects, you can assign
    permissions
    > > on
    > > objects to the well-known security ID (SID) authorized user. You can
    > > assign
    > > Read permissions for an entire directory partition by making authorized
    > > user
    > > a member of the Readers group on that directory partition. Or, you can
    > > assign Read permissions on an object-by-object basis, using dsacls.
    > >
    > >>> You can assign Read permissions for an entire directory partition by
    > > making authorized user a member of the Readers group on that directory
    > > partition.
    > >
    > >
    > >
    > > Does 'authorized user' mean 'NT Authority\Authenicated Users'? I have
    > > tried
    > > using ADAM ADSI Edit program to add it as member to the
    > > 'cn=Readers,cn=Roles,...' group. I tried the syntax of 'Authenicated
    > > Users', 'cn=Authenicated Users', 'NT Authority\Authenicated Users',
    'cn=NT
    > > Authority\Authenicated Users', 'cn=S-1-5-11' and various forms with
    > > quotation marks but none of them were accepted. Can I really make this
    > > well-known security principal as a member of Readers group?
    > >
    > > BTW, I was able to add 'Authenicated Users' to the ACL of my partition
    > > root
    > > using dsacls. The dsacls utility recognized it and add it as 'NT
    > > Authority\Authenicated Users' in the ACL.
    > >
    > >
    >
    >


    Reply With Quote Reply With Quote
  4. 15-04-2005 #4
    Joe Kaplan \(MVP - ADSI\) Guest

    Re: ADAM - How to add Authenticated Users to Readers group?

    http://msdn.microsoft.com/library/de...asp?frame=true

    There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID and
    SID. SID seems to have the added benefit of creating FSPs on the fly when
    needed, but I'm not sure where that is documented. The other special DNs
    are documented right next to that topic in MSDN.

    HTH,

    Joe K.

    "Mann" <mchang@filenet.com> wrote in message
    news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
    > Thanks a lot. It works!
    >
    > In fact the brackets are required exactly as you wrote. ADAM changed it
    > to
    > a foreign security principal but it is not listed under the
    > "cn=ForeignSecurityPrincipals" container though.
    >
    > Is this <SID=...> form documented anywhere? I like to know more details
    > about it. Thanks!!
    >
    >


    Reply With Quote Reply With Quote
  5. 15-04-2005 #5
    Mann Guest

    Re: ADAM - How to add Authenticated Users to Readers group?

    Thanks for your help!!

    "Joe Kaplan (MVP - ADSI)" <joseph.e.kaplan@removethis.accenture.com> wrote
    in message news:efA$hQTQFHA.2868@TK2MSFTNGP10.phx.gbl...
    >
    http://msdn.microsoft.com/library/de...asp?frame=true
    >
    > There are 3 "special" DN syntaxes supported by AD and ADAM: GUID, WKGUID
    and
    > SID. SID seems to have the added benefit of creating FSPs on the fly when
    > needed, but I'm not sure where that is documented. The other special DNs
    > are documented right next to that topic in MSDN.
    >
    > HTH,
    >
    > Joe K.
    >
    > "Mann" <mchang@filenet.com> wrote in message
    > news:eYwnFARQFHA.2520@tk2msftngp13.phx.gbl...
    > > Thanks a lot. It works!
    > >
    > > In fact the brackets are required exactly as you wrote. ADAM changed it
    > > to
    > > a foreign security principal but it is not listed under the
    > > "cn=ForeignSecurityPrincipals" container though.
    > >
    > > Is this <SID=...> form documented anywhere? I like to know more
    details
    > > about it. Thanks!!
    > >
    > >
    >
    >


    Reply With Quote Reply With Quote
  6. 13-10-2007 #6
    DaveMo
    DaveMo is offline Member
    Join Date
    Oct 2007
    Posts
    1
    This was very helpful, but I wanted to point odd that you have to add the SID as an ADAM account which is slightly non-intuitive.

    Dave
    Reply With Quote Reply With Quote
« How to resolve error of "Root hints list has invalid root hint ser | Group Policy Drive Mapping »

Similar Threads

  1. How to Export users from the Domain Users group into another Sec G
    By manishdk in forum Active Directory
    Replies: 6
    Last Post: 30-11-2011, 11:54 PM
  2. "Event Log Readers" group for domain controllers
    By etienne in forum Active Directory
    Replies: 2
    Last Post: 27-11-2010, 06:40 PM
  3. Different between Authenticated Users and Everyone when all are accessed to share folder
    By Aadimoolan in forum Windows Security
    Replies: 1
    Last Post: 20-09-2008, 11:29 AM
  4. Allowing file share browsing for un-authenticated users
    By Nonapeptide@gmail.com in forum Windows Server Help
    Replies: 9
    Last Post: 19-06-2008, 10:59 AM
  5. Authenticated Users
    By Steve Furniss in forum Windows Server Help
    Replies: 2
    Last Post: 02-08-2005, 09:42 PM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules

Page generated in 1,717,387,364.69452 seconds with 16 queries