Those are either "extended-rights" or "property sets". They aren't anything
special about dsacls, they are an AD thing, you just have to understand the AD
security model and once there, the help from dsacls makes more sense.
You can list all "extended-rights" and "property sets" in the extended-rights
container of the config container. Far below I have listed the whole set of
those items listed in that container, make note of the case of each string as it
is important.
You can determine what is an "extended-right" versus a "property set" by looking
at the validAccesses attribute on the objects. See
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/control_access_rights.asp
"Property sets" and "extended-rights" are kind of cool but it seems, IMO, that
MS only half-heartedly implemented them, they could do some very cool things
very easily but they dropped the ball I think. Additionally they are tougher to
work with in an ACL model that is already a bit involved. Trust me when I say
that DSACLS is much simpler to do this stuff than dealing with the ACLs directly
with script or code but not as easy as the GUI. Still DSACLS has its own issues
as well. One of the most annoying I have run into is that you need to be exact
on case or you will experience a parameter error.
Anyway, "property sets" can have WP (Write property),WS (Write Self), or RP
(Read Property) set on them depending on the type of set - validated writes for
instance take WS. "Extended-rights" can only have CA (Control Access) set on them.
So for instance to set "Reset Password" you need to set CA on the specific object.
dsacls <somedn> /I:T /G "<somedomain\somegroup>:CA;Reset Password;"
but setting "Validated Write to DNS host name" would be like
dsacls <somedn> /I:T /G "<somedomain\somegroup>:WS;Validated write to DNS host
name;"
and setting Write on "Account Restrictions" is handled like
dsacls <somedn> /I:T /G "<somedomain\somegroup>:WP;Account Restrictions;"
Of course you can "usually" slap multiple permissions together onto a single
command line with a
dsacls <somedn> /I:T /G "secprin:access;perm" "secprin:access;perm"
"secprin:access;perm" "secprin:access;perm" "secprin:access;perm" etc...
Occasionally you will hit something that it won't let you put together and you
may even have opportunity to see a crash of dsacls which I have seen on a couple
of occasions when linking up ACL updates like that.
With that info, you should be able to put together the appropriate command line
to set a computer object to allow someone specific to join it.
All objects in the Extended rights container. Again to determine what type of
objects they are, look at the validAccesses attribute.
F:\DEV\cpp\NetSess>adfind -config -rb cn=extended-rights displayname -nodn
-nolabel -sort displayname
AdFind V01.26.00cpp Joe Richards (
[email protected]) February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=joe,DC=com
Account Restrictions
Add GUID
Add PF to admin group
Add/Remove Replica In Domain
Add/Remove self as member
Administer information store
Allocate Rids
Allowed to Authenticate
Apply Group Policy
Change Domain Master
Change Infrastructure Master
Change Password
Change PDC
Change Rid Master
Change Schema Master
Check Stale Phantoms
Create Inbound Forest Trust
Create named properties in the information store
Create public folder
Create top level public folder
DNS Host Name Attributes
Do Garbage Collection
Domain Administer Server
Domain Password & Lockout Policies
Enable Per User Reversibly Encrypted Password
Enroll
Enumerate Entire SAM Domain
Exchange administrator
Exchange full administrator
Exchange public folder read-only administrator
Exchange public folder service
Execute Forest Update Script
General Information
Generate Resultant Set of Policy (Logging)
Generate Resultant Set of Policy (Planning)
Group Membership
Logon Information
Mail-enable public folder
Manage Replication Topology
Migrate SID History
Modify public folder ACL
Modify public folder admin ACL
Modify public folder deleted item retention
Modify public folder expiry
Modify public folder quotas
Modify public folder replica list
Monitor Active Directory Replication
Open Address List
Open Connector Queue
Open mail send queue
Other Domain Parameters (for use by SAM)
Peek Computer Journal
Peek Dead Letter
Peek Message
Personal Information
Phone and Mail Options
Public Information
Query Self Quota
Read metabase properties
Reanimate Tombstones
Recalculate Hierarchy
Recalculate Security Inheritance
Receive As
Receive Computer Journal
Receive Dead Letter
Receive Journal
Receive Message
Refresh Group Cache for Logons
Remote Access Information
Remove PF from admin group
Replicating Directory Changes
Replicating Directory Changes All
Replication Synchronization
Reset Password
Send As
Send Message
Send To
Unexpire Password
Update Password Not Required Bit
Update Schema Cache
Validated write to DNS host name
Validated write to service principal name
View information store status
Web Information
85 Objects returned
