How to configure Network Information Services (NIS) objects in the Active Directory directory service so that a delegated user can modify them (891765)


The information in this article applies to:

  • Microsoft Windows Services for UNIX 3.5

INTRODUCTION

This article describes how to configure Network Information Services (NIS) objects in the Active Directory directory service so that a delegated user can modify them.

When you migrate an NIS domain to Active Directory in Microsoft Windows Services for UNIX 3.5, the NIS objects in Active Directory are configured so that only a domain administrator can modify them. To work around this, you can use a script to modify the access control list (ACL) entries for the NIS objects in Active Directory. You can modify the ACL entries so that a delegated user has permissions to modify UNIX-related attributes for users, groups, and computers in Active Directory.

MORE INFORMATION

To modify the access control list (ACL) entries for the NIS objects in Active Directory, use a script that is similar to the following.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. 
On Error Resume Next
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"

Const FULL_CONTROL = -1
Const ADS_ACETYPE_ACCESS_ALLOWED = 0
Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2


Dim adsObject      'Any object
Dim adsSecDesc   'SecurityDescriptor
Dim adsDACL      'AccessControlList

Dim adsNewACE'AccessControlEntry
Set adsNewACE = CreateObject("AccessControlEntry")

adsNewACE.Trustee = "useraccount" 'the user who you want to grant permission to
adsNewACE.AccessMask = FULL_CONTROL
adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
adsNewACE.AceFlags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT


Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
	"<LDAP://DC=nisB,DC=sfu,DC=nttest,DC=microsoft,dc=com>;(objectCategory=*);DistinguishedName;subtree"
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
	strADsName = objRecordSet.Fields("DistinguishedName")
	Set obj = GetObject("LDAP://"&strADsName) 
	domain = ""
	domain = obj.Get("msSFU30Name")
	if domain <> "" then
		Set adsSecDesc = obj.Get("ntSecurityDescriptor")
		Set adsDACL = adsSecDesc.DiscretionaryAcl
		adsDACL.AddAce adsNewACE
		adsSecDesc.DiscretionaryAcl = adsDACL
		obj.Put "ntSecurityDescriptor", Array(adsSecDesc)
		obj.SetInfo
		Wscript.Echo domain & ":" & obj.Get("name")		
	end if
	objRecordSet.MoveNext
Wend
objConnection.Close
Note Replace useraccount with the name of the user account that you want to let modify NIS objects in Active Directory. Additionally, modify the Lightweight Directory Access Protocol (LDAP) path in this code depending on your Active Directory domain.

REFERENCES

For additional information about Windows Services for UNIX 3.5, visit the following Microsoft Web sites:

http://www.microsoft.com/windowsserversystem/sfu/default.mspx

http://www.microsoft.com/technet/interopmigration/unix/sfu/default.mspx

Modification Type:MinorLast Reviewed:11/15/2005
Keywords:kbinfo kbhowto KB891765 kbAudDeveloper
©2004 Microsoft Corporation. All rights reserved.