none
Give access to account to view Member Of attribute on Foreign Security Principal

    Question

  • We have an account we need to give access to let it see the Member Of attribute on any of the accounts in the Foreign Security Principal group.  Currently it can see all the accounts in the Foreign Security Principal group and can bring up the properties of an account however when clicking on the Member Of tab it shows up as blank.  We had another account get into active directory that was an administrator and they were able to see the groups the account was a member of, so it is obviously a permissions issue for the other account.

    Pretty much the same question as was listed here:

    http://www.activedir.org/ListArchives/tabid/55/forumid/1/postid/28317/view/topic/Default.aspx

    I also wanted to get this working for the account without setting the "read all properties" if possible

    Wednesday, May 25, 2011 2:32 PM

Answers

  • No

    use ADSIEdit.msc - right click on an FSP object, display its Properties dialog box, switch to Security tab, click on Advanced command button, click on Add... command button on Permissions tab, provide the group/user you want to delegate permissions to, click on OK, in the Permissions Entry dialog box switch to Properties tab, in the Apply onto select Foreign Security Principal objects, scroll down to Read memberOf, and select checkbox in the Allow column

    hth
    Marcin

    Wednesday, May 25, 2011 6:40 PM

All replies

  • Have you tried granting Read permissions to memberOf attribute?

    hth
    Marcin

    Wednesday, May 25, 2011 3:44 PM
  • I found the following properties:

    Read group membership
    Read groupMembershipSAM

     

    Is this what you are referring to?

    Wednesday, May 25, 2011 5:19 PM
  • No

    use ADSIEdit.msc - right click on an FSP object, display its Properties dialog box, switch to Security tab, click on Advanced command button, click on Add... command button on Permissions tab, provide the group/user you want to delegate permissions to, click on OK, in the Permissions Entry dialog box switch to Properties tab, in the Apply onto select Foreign Security Principal objects, scroll down to Read memberOf, and select checkbox in the Allow column

    hth
    Marcin

    Wednesday, May 25, 2011 6:40 PM
  • Sorry I am a bit new at this.  What advantage does ADSIEdit give over just setting the security through Active Directory Users and Computers?  Does it have a more granular approach to the security?
    Wednesday, May 25, 2011 7:52 PM
  • Direct access to the individual objects and their attributes - including assigning permissions on the attibute level - which you are looking for...

    hth
    Marcin


    Wednesday, May 25, 2011 10:14 PM