Single uidNumber and gidNumber permissions on Active Directory user object don't work


  • Environment: Domain 2012 with Windows 2012 Domain Controllers

    I need to delegate uidNumber and gidNumber Active Directory attributes to the Linux team.

    Thus I have set following permissions for on those attributes.

    However, these permissions don't work because they can only view concerned attributes and not edit them.

    If I set the Write All Properties permissions, it works fine because they can edit these attributes.

    But I don't want them to be able to edit all attributes, only uidNumber and gidNumber.

    Is this a bug? Or did I miss something?

    Had already some exchanges here : Windows 2012 General Forum
    Wednesday, January 25, 2017 4:36 PM


  • Finally the solution:

    In our case, permissions must be set on:

    • Descendant Group objects
    • Descendant User objects

    instead of:

    • Descendant posixAccount objects
    • Descendant posixGroup objects

    Thank you Bousso Mbacke who helped me on this problem.

    Wednesday, April 19, 2017 3:31 PM

All replies