Directory Wizards Inc.

Solutions For Your Directory Needs

sales@dirwiz.com

Knowledgebase

Setting 'Special Permissions' on the ADAM Sync container

Category:ADAM

Last Updated:2011-08-04

Download PDF version

In order for your UnitySync ADAM User account to have appropriate permissions to create objects in your ADAM directory, you may make your UnitySync ADAM user account a member of the ADMIN group.

OR

You may apply 'Special Permissions' on the Sync container, granting the UnitySync ADAM user account permissions to just that one container. This article outlines the required steps to set Special Permissions on your ADAM sync container.

Setting of Special Permissions is performed via the dsacls command as outlined below. The DSACLS Microsoft TechNet article explains the syntax of the command as used in the following instructions.

1. You must first complete the steps outlined for

Creating your ADAM UnitySync User Account and Sync Container.

2. CD to the adam directory (i.e. \windows\adam)

3. Execute dsacls to display current ACLS settings for your sync container:

dsacls "\\localhost:50000\ou=Jons World,dc=acme"

Example dsacls output:
Owner: CN=Administrators,CN=Roles,DC=acme
Group: CN=Administrators,CN=Roles,DC=acme

Access list:
Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme

FULL CONTROL <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme

FULL CONTROL <Inherited from parent>

4. Execute dsacls to allow the UnitySync user account permission for creation & deletion of child objects:

dsacls "\\localhost:50000\ou=jons world,dc=acme" /g cn=jondoe,dc=acme:CCDC

Example dsacls output showing CCDC permissions
Owner: CN=Administrators,CN=Roles,DC=acme
Group: CN=Administrators,CN=Roles,DC=acme

Access list:
Allow CN=JonDoe,DC=acme

SPECIAL ACCESS
CREATE CHILD
DELETE CHILD

Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme

FULL CONTROL <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme

FULL CONTROL <Inherited from parent>

5. Execute dsacls to allow full permission to all objects BELOW Sync OU (But NOT including Sync OU):

dsacls "\\localhost:50000\ou=jons world,dc=acme" /g cn=jondoe,dc=acme:GA /I:S

Example dsacls output showing GA /I:S permissions
Owner: CN=Administrators,CN=Roles,DC=acme
Group: CN=Administrators,CN=Roles,DC=acme

Access list:
Allow CN=JonDoe,DC=acme

SPECIAL ACCESS
CREATE CHILD
DELETE CHILD

Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme
FULL CONTROL <Inherited from parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow CN=JonDoe,DC=acme

FULL CONTROL

Allow CN=Readers,CN=Roles,DC=acme

SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT

Allow CN=Administrators,CN=Roles,DC=acme

FULL CONTROL <Inherited from parent>

Notes regarding above instructions:

Your ADAM port may be set to a value other than the default 50000. Use your actual ADAM port.
Replace "ou=Jons world,dc=acme" with your actual container name
Replace "cn=jondoe,dc=acme" with your actual UnitySync account name.