3.1.6.4 Modifying Directory Server Security Descriptors

  • Article

To modify the security descriptor for a directory server object, the server MUST perform the following procedure:

  1. Perform an LDAP operation on an ADConnection as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

    • TaskInputADConnection: DNS Server AD Connection

    • TaskInputRequestMessage: protocolOp is set to searchRequest [RFC4511] section 4.5).

    • searchRequest parameters are set as follows:

    • baseObject: The specified distinguished name of the object to be modified.

    • scope: base (0)

    • derefAliases: neverDerefAliases (0)

    • sizeLimit: 0

    • timeLimit: 360

    • typesOnly: FALSE

    • filter: "(objectCategory=*)"

    • attributes: "ntSecurityDescriptor"

  2. If the search request is successful, modify the security descriptor returned to grant or deny the specified rights to the specified local security group.

  3. If the security descriptor is successfully modified, perform an LDAP operation on an ADConnection as specified in [MS-ADTS] section 7.6.1.6, with the following parameters:

    • TaskInputADConnection: DNS Server AD Connection

    • TaskInputRequestMessage: protocolOp is set to modifyRequest ([RFC4511] section 4.6)

    • Set the modifyRequest parameters as follows:

    • object: The specified distinguished name of the object to be modified.

    • changes:

    • operation: replace

    • type: "ntSecurityDescriptor"

    • vals: modified security descriptor