When you create a new object (e.g., a user, a group) in Active Directory (AD), the object automatically receives a set of default access control permissions. Where in AD are these default permissions defined? Can I retrieve them and modify them?
Microsoft has defined a default security descriptor for every AD object class (e.g., user, group). When you create an AD object instance of a particular object class, this default security descriptor establishes the default permissions for that object. The default security descriptor is defined in the AD schema.
You can set the default security descriptor by viewing the AD object class properties. The easiest way to access this information is to use the Microsoft Management Console (MMC) Active Directory Schema snap-in. Before you can use this snap-in, you must register the schmmgmt.dll file by going to the command line and typing
regsvr32 schmmgmt.dll
After you register the file, open the Active Directory Schema snap-in, locate the object class of interest (e.g., the user object) in the classes container, then right-click the object and select Properties from the context menu to open the user Properties dialog box. You can change the default security descriptor on the Security tab, as Figure 1 shows. . . .
Register
