17.9.1 ProblemYou want to delegate control over the management of an application partition. 17.9.2 Solution17.9.2.1 Using a graphical user interface
17.9.2.2 Using a command-line interface> dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-NC-Replica-Locations > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-SDReferenceDomain > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN] First-DSA-Delay > dsacls <AppPartitionCrossRefDN> /G <UserOrGroup>:RPWP;msDS-Replication-Notify-[RETURN] Subsequent-DSA-Delay 17.9.2.3 Using VBScript' This script delegates control over the four key attributes ' of an app partition to the specified user or group. ' ------ SCRIPT CONFIGURATION ------ ' Fully qualified DNS name of app partition strAppPart = "<AppPartitionFQDN>" ' e.g. apps.rallencorp.com ' User or group to delegate control to strUser = "<UserOrGroup>" ' e.g. joe@rallencorp.com or RALLENCORP\joe ' ------ END CONFIGURATION --------- '############################ ' Constants '############################ ' ADS_ACETYPE_ENUM Const ADS_ACETYPE_ACCESS_ALLOWED = &h0 Const ADS_ACETYPE_ACCESS_ALLOWED_OBJECT = &h5 ' ADS_FLAGTYPE_ENUM Const ADS_FLAG_OBJECT_TYPE_PRESENT = &h1 ' ADS_RIGHTS_ENUM Const ADS_RIGHT_DS_WRITE_PROP = &h20 Const ADS_RIGHT_DS_READ_PROP = &h10 ' schemaIDGUID values Const REPLICA_LOCATIONS = "{97de9615-b537-46bc-ac0f-10720f3909f3}" Const SDREFERENCEDOMAIN = "{4c51e316-f628-43a5-b06b-ffb695fcb4f3}" Const NOTIFY_FIRST_DSA_DELAY = "{85abd4f4-0a89-4e49-bdec-6f35bb2562ba}" Const NOTIFY_SUBSEQUENT_DSA_DELAY = "{d63db385-dd92-4b52-b1d8-0d3ecc0e86b6}" '############################ ' Find App Partition '############################ set objRootDSE = GetObject("LDAP://RootDSE") strBase = "<LDAP://cn=Partitions," & _ objRootDSE.Get("ConfigurationNamingContext") & ">;" strFilter = "(&(objectcategory=crossRef)(dnsRoot=" & _ strAppPart & "));" strAttrs = "cn,distinguishedName;" strScope = "onelevel" set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) if objRS.RecordCount <> 1 then WScript.Echo "Did not find a match for " & strAppPart else objRS.MoveLast set objAppPart = GetObject("LDAP://" & _ objRS.Fields("distinguishedName").Value ) end if '############################ ' Create ACL '############################ set objSD = objAppPart.Get("ntSecurityDescriptor") set objDACL = objSD.DiscretionaryAcl ' Read/Write Property: msDS-NC-Replica-Locations set objACE1 = CreateObject("AccessControlEntry") objACE1.Trustee = strUser objACE1.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE1.AceFlags = 0 objACE1.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE1.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE1.ObjectType = REPLICA_LOCATIONS ' ' Read/Write Property: msDS-SDReferenceDomain set objACE2 = CreateObject("AccessControlEntry") objACE2.Trustee = strUser objACE2.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE2.AceFlags = 0 objACE2.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE2.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE2.ObjectType = SDREFERENCEDOMAIN ' Read/Write Property: msDS-Replication-Notify-First-DSA-Delay set objACE3 = CreateObject("AccessControlEntry") objACE3.Trustee = strUser objACE3.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE3.AceFlags = 0 objACE3.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE3.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE3.ObjectType = NOTIFY_FIRST_DSA_DELAY ' Read/Write Property: msDS-Replication-Notify-Subsequent-DSA-Delay set objACE4 = CreateObject("AccessControlEntry") objACE4.Trustee = strUser objACE4.AccessMask = ADS_RIGHT_DS_WRITE_PROP Or ADS_RIGHT_DS_READ_PROP objACE4.AceFlags = 0 objACE4.Flags = ADS_FLAG_OBJECT_TYPE_PRESENT objACE4.AceType = ADS_ACETYPE_ACCESS_ALLOWED_OBJECT objACE4.ObjectType = NOTIFY_SUBSEQUENT_DSA_DELAY objDACL.AddAce objACE1 objDACL.AddAce objACE2 objDACL.AddAce objACE3 objDACL.AddAce objACE4 '############################ ' Set ACL '############################ objSD.DiscretionaryAcl = objDACL objAppPart.Put "ntSecurityDescriptor", objSD objAppPart.SetInfo WScript.Echo "Delegated control of " & strAppPart & " to " & strUser 17.9.3 DiscussionIf you want to delegate control of management of application partitions, you must grant control over four key attributes. Here is a description of each attribute and what can be accomplished by having control over it:
If you want to delegate control over managing objects within the application partition, you need to follow the same procedures you would when delegating control over objects in a domain naming context. See Recipe 14.5 for more information on delegating control. 17.9.4 See AlsoRecipe 14.5 for delegating control, Recipe 17.3 for more on adding and removing replica servers, Recipe 17.7 for more on the replication delay attributes, and Recipe 17.8 for more on the default security descriptor domain |