Recipe 10.19 Modifying the Default Security of a Class

10.19.1 Problem

You want to modify the default security that is applied to objects instantiated from a particular structural class.

10.19.2 Solution

For Windows 2000 Active Directory, you need to enable schema modifications before proceeding. See Recipe 10.2 for more information. Using a graphical user interface
  1. Open the Active Directory Schema snap-in.

  2. In the left pane, click on the Classes folder.

  3. In the right pane, double-click the class you want to modify the security for.

  4. Click the Default Security tab.

  5. Modify the security as necessary.

  6. Click OK.

10.19.3 Discussion

Whenever a new object is created in Active Directory, a default security descriptor (SD) is applied to it along with any inherited security from its parent container. The default security descriptor is stored in the defaultSecurityDescriptor attribute of the classSchema object. If you modify the default SD, every new object will get that SD, but it does not affect any existing objects.

10.19.4 See Also

MS KB 265399 (HOW TO: Change Default Permissions for Objects That Are Created in the Active Directory)

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List