This step-by-step article describes how to modify Active
Directory object attributes. The example in this article changes the defaultSecurityDescriptor
attribute of the Organizational Unit object to remove the Read
permission from the members of the Authenticated Users group. Caution
Microsoft recommends that you use caution if you modify the
Active Directory schema. This operation is an advanced operation that is best
performed programmatically by experienced programmers and system
administrators. For detailed information about how to modify the Active
Directory schema, see the Active Directory Programmer's Guide.
Enable Write Operations to Schema
- Log on to your computer with an account that is a member of
the Schema Administrators group.
- Install the Active Directory Schema snap-in. To do so,
double click the I386\Adminpak.msi file on your Windows 2000
Server CD-ROM. For more information about how to install the Active Directory
schema snap-in, visit the following Microsoft Web site:Note If you cannot install the Administration Pack from the Windows
2000 Server CD-ROM, copy the Adminpak.msi file to your desktop, and then
double-click the Adminpak.msi file.
information about the Administration Pack, click the following article number
to view the article in the Microsoft Knowledge Base:
How to use Adminpak.msi to install a specific server administration tool in Windows
- To start the Active Directory Schema snap-in, click
Start, click Run, type
schmmgmt.msc in the Open box, and then
- Right-click Active Directory Schema, and
then click Operations Master.
- Click to select the The Schema may be modified on
this Domain Controller check box, and then click
Modify the Security Descriptor Attribute
- Click Start, point to
Programs, point to Windows 2000 Support
Tools, point to Tools, and then click ADSI
Note To install Windows 2000 Support Tools, double-click
Setup.exe in the Support\Tools folder on your Windows 2000
- In ADSI Editor, expand the Schema naming
context, and then click the
- In the right pane, right-click
CN=Organizational-Unit, and then click
Properties. This opens the CN=Organizational-Unit
Properties dialog box.
- In the Select which properties to view
box, click Optional.
- In the Select a property to view box,
- Right-click in the Value(s) box, and then
click Select All. Press CTRL+C to copy the string.
- Start Notepad, and then click Paste on the
- Examine the content. Locate, and then delete the following
- Press CTRL+A to select the whole contents, press CTRL+C to
copy it, and then press CTRL+V to put the contents into the Edit
Attribute box in the CN=Organizational-Unit
Properties dialog box. Click Set, and then click
- In the Active Directory Schema snap-in, right-click
Active Directory Schema, and then click Reload the
schema. Quit the Active Directory Schema snap-in.
How to Change the Default Permissions on Group Policy Objects in Windows 2000
Article ID: 265399 - Last Review: September 11, 2007 - Revision: 2.4
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server