Microsoft KB Archive/891765

= How to configure Network Information Services (NIS) objects in the Active Directory directory service so that a delegated user can modify them =

Article ID: 891765

Article Last Modified on 11/5/2007

-

APPLIES TO


 * Microsoft Windows Services for UNIX 3.5

-





INTRODUCTION
This article describes how to configure Network Information Services (NIS) objects in the Active Directory directory service so that a delegated user can modify them.

When you migrate an NIS domain to Active Directory in Microsoft Windows Services for UNIX 3.5, the NIS objects in Active Directory are configured so that only a domain administrator can modify them. To work around this, you can use a script to modify the access control list (ACL) entries for the NIS objects in Active Directory. You can modify the ACL entries so that a delegated user has permissions to modify UNIX-related attributes for users, groups, and computers in Active Directory.



MORE INFORMATION
To modify the access control list (ACL) entries for the NIS objects in Active Directory, use a script that is similar to the following.

Microsoft provides programming examples for illustration only, without warranty either expressed or implied. This includes, but is not limited to, the implied warranties of merchantability or fitness for a particular purpose. This article assumes that you are familiar with the programming language that is being demonstrated and with the tools that are used to create and to debug procedures. Microsoft support engineers can help explain the functionality of a particular procedure, but they will not modify these examples to provide added functionality or construct procedures to meet your specific requirements. On Error Resume Next Set objConnection = CreateObject(&quot;ADODB.Connection&quot;) objConnection.Open &quot;Provider=ADsDSOObject;&quot;

Const FULL_CONTROL = -1 Const ADS_ACETYPE_ACCESS_ALLOWED = 0 Const ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT = 2

Dim adsObject     'Any object Dim adsSecDesc  'SecurityDescriptor Dim adsDACL     'AccessControlList

Dim adsNewACE'AccessControlEntry Set adsNewACE = CreateObject(&quot;AccessControlEntry&quot;)

adsNewACE.Trustee = &quot;useraccount&quot; 'the user who you want to grant permission to adsNewACE.AccessMask = FULL_CONTROL adsNewACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED adsNewACE.AceFlags = ADS_FLAG_INHERITED_OBJECT_TYPE_PRESENT

Set objCommand = CreateObject(&quot;ADODB.Command&quot;) objCommand.ActiveConnection = objConnection objCommand.CommandText = _ &quot;;(objectCategory=*);DistinguishedName;subtree&quot; Set objRecordSet = objCommand.Execute While Not objRecordSet.EOF strADsName = objRecordSet.Fields(&quot;DistinguishedName&quot;) Set obj = GetObject(&quot;LDAP://&quot;&strADsName) domain = &quot;&quot; domain = obj.Get(&quot;msSFU30Name&quot;) if domain <> &quot;&quot; then Set adsSecDesc = obj.Get(&quot;ntSecurityDescriptor&quot;) Set adsDACL = adsSecDesc.DiscretionaryAcl adsDACL.AddAce adsNewACE adsSecDesc.DiscretionaryAcl = adsDACL obj.Put &quot;ntSecurityDescriptor&quot;, Array(adsSecDesc) obj.SetInfo Wscript.Echo domain & &quot;:&quot; & obj.Get(&quot;name&quot;) end if   objRecordSet.MoveNext Wend objConnection.Close Note Replace  with the name of the user account that you want to let modify NIS objects in Active Directory. Additionally, modify the Lightweight Directory Access Protocol (LDAP) path in this code depending on your Active Directory domain.

