Como delegar permisos de Active Directory

Para delegar permisos de Active Directory a un grupo de usuarios y no morir en el intento, recomiendo utilizar la herramienta de linea de comando dsacls.


Si utilizan el wizard que ofrece Windows 2003 server, van a encontrar que genera problemas con la herencia la mayoría de las veces.


A continuación un ejemplo del comando applicado en una delegación concreta de permisos sobre un atributo de un objeto user


dsacls "OU=Sites,OU=Argentina,DC=dominio,DC=ccf" /I:S /G domino\group:WP;personalTitle;user


Ejemplo para permitir a un grupo modificar la expiracion de los usuarios:


Para delegar el permiso de modificar el atributo accountExpires

dsacls "CN=Pepe,OU=Usuarios,OU=ARGENTINA,DC=dominio,DC=ccf" /I:S /G SA\HelpServicesGroup:RPWP;accountExpires;user >> out.log

Para delegar el permiso de modificar el atributo expirationTime:

dsacls "CN=Pepe,OU=Usuarios,OU=ARGENTINA,DC=dominio,DC=ccf" /I:S /G SA\HelpServicesGroup:RPWP;expirationTime;user >> out.log

Se puede poner RP (read) y WP (write) seguidos en una misma línea, como están arriba (RPWP;) y no tener que hacer 2 líneas por separado para cada Property.

El “>> out.log” se puede usar para tener registro de los resultados, si vamos a ejecutar muchos comandos juntos. Puede que fallen si el nombre (CN=) tiene caracteres no permitidos (Ñ,  comilla simple, etc.).

Mas info sobre el comando:


This article describes how to use the Dsacls.exe tool (Dsacls.exe) to manage access control lists (ACLs) for directory services in Microsoft Windows Server 2003 and Microsoft Windows 2000 Server. Dsacls.exe is a command-line tool that you can use to query the security attributes and to change permissions and security attributes of Active Directory objects. It is the command-line equivalent of the Security tab in the Windows Active Directory snap-in tools such as Active Directory Users and Computers and Active Directory Sites and Services.

Dsacls.exe is included with the Windows Support Tools. To install the Support Tools, run Setup.exe from the Support\Tools folder on the Windows Server 2003 or Windows 2000 Server CD-ROM. 

You can use Dsacls.exe and another Windows Support Tool, ACL Diagnostics (Acldiag.exe), to provide security configuration and diagnosis functionality on Active Directory objects from the command prompt.

Note You can use Dsacls.exe to display and change permissions (access control entries) in the access control list (ACL) of objects in Active Directory Application Mode (ADAM) in Windows Server 2003.

Important Do not use Dsacls.exe to modify permissions if you have implemented a Hosting solution such as Windows-based Hosting, High Volume Exchange (HVE), Hosted Messaging and Collaboration, or Hosted Exchange, or if the customer is using Microsoft Provisioning Service. The Hosting solutions depend on specific security model to isolate the ISP's customers from each other. DsAcls uses the following syntax:

dsacls object [/a] [/d {user | group}:permissions [...]] [/g {user | group}:permissions [...]] [/i:{p | s | t}] [/n] [/p:{y | n}] [/r {user | group} [...]] [/s [/t]]

You can use the following parameters with Dsacls.exe:

• object: This is the path to the directory services object on which to display or change the ACLs. This path must be a distinguished name (also known as RFC 1779 or x.500 format). For example:
  CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
  To specify a server, add \\Servername\ before the object. For example:
  \\MyServer\CN=Someone,OU=Software,OU=Engineering,DC=Microsoft,DC=Com
  When you run the dsacls command with only the object parameter (dsacls object), the security information about the object is displayed.
• /a : Use this parameter to display the ownership and auditing information with the permissions.
• /d {user | group}:permissions: Use this parameter to deny specified permissions to a user or group.User must use either user@domain or domain\user format, and group must use either group@domain ordomain\group format. You can specify more than one user or group in a command. For more information about the correct syntax to use for permissions, see the <Permissions> Syntax section later in this article.
• /g {user | group}:permissions: Use this parameter to grant specified permissions to a user or group.User must use either user@domain or domain\user format, and group must use either group@domain ordomain\group format. You can specify more than one user or group in a command. For more information about the correct syntax to use for permissions, see the <Permissions> Syntax section later in this article.
• /i:{p | s | t} : Use this parameter to specify one of the following inheritance flags:
  • p: Use this option to propagate inheritable permissions one level only.
  • s: Use this option to propagate inheritable permissions to subobjects only.
  • t: Use this option to propagate inheritable permissions to this object and subobjects.
• /n : Use this parameter to replace the current access on the object, instead of editing it.
• /p:{y | n}: This parameter determines whether the object can inherit permissions from its parent objects. If you omit this parameter, the inheritance properties of the object are not changed. Use this parameter to mark the object as protected (y = yes) or not protected (n = no).
  
  Note This parameter changes a property of the object, not of an Access Control Entry (ACE). To determine whether an ACE is inheritable, use the /I parameter.
• /r {user | group}: Use this parameter to remove all permissions for the specified user or group. You can specify more than one user or group in a command. User must use either user@domain or domain\userformat, and group must use either group@domain or domain\group format.
• /s: Use this parameter to restore the security on the object to the default security for that object class, as defined in the Active Directory schema.
• /t : Use this parameter to restore the security on the tree of objects to the default for each object class. This switch is valid only when you also use the /s parameter.

Permissions Syntax

You must use the following syntax for permissions when you use the /d {user | group}:permissions or /g {user |group}:permissions parameter :

[PermissionBits];[{Object|Property}];[InheritedObjectType]

• PermissionBits can use any of the following values, which can be concatenated together without spaces:
  
  Generic Permissions
  GR	Generic Read
  GE	Generic Execute
  GW	Generic Write
  GA	Generic All

  
  Specific Permissions
  SD	Delete
  DT	Delete an object and all its child objects.
  RC	Read security information
  WD	Change security information
  WO	Change owner information
  LC	List the child objects of an object
  CC	Create child object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  DC	Delete child object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  WS	Write to self object. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  RP	Read property. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  WP	Write property. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  CA	Control access right. If {Object|Property} is not specified to define a specific property, this applies to all properties of an object. Otherwise, it applies to the specified property of the object.
  LO	List the object access. Can be used to grant list access to a specific object if List Children (LC) is not also granted to the parent. Can also be denied on specific objects to hide those objects if the user or group has LC on the parent. By default, Active Directory does not enforce this permission.

• {Object|Property}: This represents the display name of the object type or property. For example, "user" (without the quotation marks) is the display name for user objects, and "telephone number" (without the quotation marks) is the display name for the telephone number property.
  
  For example, the following command permits the user to create all types of child objects:
  /G Domain\User:CC
  
  However, the following command permits the user to create only child computer objects:
  /G Domain\User:CC;computer
• InheritedObjectType: This represents the display name of the object type by which the permissions are expected to be inherited.
  
  If an object type is not specified, the permission can be inherited by all object types. This parameter is used only when permissions are inheritable.
  
  For example, the following command permits all types of objects to inherit the permission:
  /G Domain\User:CC
  However, the following command permits only user objects to inherit the permission:
  /G Domain\User:CC;;user

IMPORTANT: Use permissions only when you define object-specific permissions that override the default permissions defined in the Active Directory schema for that object type. Use with caution and only if you have a full understanding of object-specific permissions. 






Examples of Permissions

• SDRCWDWO;;user
  
  This notation represents Delete, Read security information, Change security information, and Change ownership permissions on objects of type "user".
• CCDC;group;
  
  This notation represents Create child and Delete child permissions to create or delete objects of type "group".
• RPWP;telephonenumber;
  
  This notation represents Read property and Write property permissions on the telephone number property.