Source code of Windows XP (NT5)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 
 

268 lines
9.5 KiB

;/*++
;
;Copyright (c) 1998-1998 Microsoft Corporation
;
;Module Name:
;
; dsaclsmsg.mc (will create dsaclsmsg.h when compiled)
;
;Abstract:
;
; This file contains the DSACLS messages.
;
;Author:
;
;
;Revision History:
;
;--*/
;//
;// These are simply resource indexes
;//
;#define MSG_TAG_SD 0x8001
;#define MSG_TAG_RC 0x8002
;#define MSG_TAG_WD 0x8003
;#define MSG_TAG_WO 0x8004
;#define MSG_TAG_CC 0x8005
;#define MSG_TAG_DC 0x8006
;#define MSG_TAG_LC 0x8007
;#define MSG_TAG_WS 0x8008
;#define MSG_TAG_WP 0x8009
;#define MSG_TAG_RP 0x800A
;#define MSG_TAG_DT 0x800B
;#define MSG_TAG_LO 0x800C
;#define MSG_TAG_IS 0x800E
;#define MSG_TAG_IT 0x800F
;#define MSG_TAG_IP 0x8010
;#define MSG_TAG_ID 0x8011
;#define MSG_TAG_AC 0x8012
;#define MSG_TAG_GR 0x8013
;#define MSG_TAG_GE 0x8014
;#define MSG_TAG_GW 0x8015
;#define MSG_TAG_GA 0x8016
;#define MSG_TAG_SD_EX 0x8018
;#define MSG_TAG_RC_EX 0x8019
;#define MSG_TAG_WD_EX 0x801A
;#define MSG_TAG_WO_EX 0x801B
;#define MSG_TAG_CC_EX 0x801C
;#define MSG_TAG_DC_EX 0x801D
;#define MSG_TAG_LC_EX 0x801E
;#define MSG_TAG_WS_EX 0x801F
;#define MSG_TAG_WP_EX 0x8020
;#define MSG_TAG_RP_EX 0x8021
;#define MSG_TAG_DT_EX 0x8022
;#define MSG_TAG_LO_EX 0x8023
;#define MSG_TAG_GR_EX 0x8024
;#define MSG_TAG_GE_EX 0x8025
;#define MSG_TAG_GW_EX 0x8026
;#define MSG_TAG_GA_EX 0x8027
;#define MSG_TAG_AC_EX 0x8028
;#define MSG_TAG_PY 0x8029
;#define MSG_TAG_PN 0x8030
;//
;// These values must be flags, since they are used as such during cmdline processing
;//
;#define MSG_TAG_CI 0x0001
;#define MSG_TAG_CN 0x0002
;#define MSG_TAG_CP 0x0004
;#define MSG_TAG_CG 0x0008
;#define MSG_TAG_CD 0x0010
;#define MSG_TAG_CR 0x0020
;#define MSG_TAG_CS 0x0040
;#define MSG_TAG_CT 0x0080
;#define MSG_TAG_CA 0x0100
;#define MSG_TAG_GETSDDL 0x0200
;#define MSG_TAG_SETSDDL 0x0400
;#define MSG_DSACLS_SUCCESS 8002
;#define MSG_DSACLS_FAILURE 8003
;#define MSG_DSACLS_NO_UA 8004
;#define MSG_DSACLS_PARAM_UNEXPECTED 8005
;#define MSG_DSACLS_ACCESS 8006
;#define MSG_DSACLS_AUDIT 8007
;#define MSG_DSACLS_OWNER 8008
;#define MSG_DSACLS_GROUP 8009
;#define MSG_DSACLS_PROTECTED 8010
;#define MSG_DSACLS_INHERIT_TO 8011
;#define MSG_DSACLS_PROPERTY 8012
;#define MSG_DSACLS_OBJECT 8013
;#define MSG_DSACLS_INHERIT 8014
;#define MSG_DSACLS_USER 8015
;#define MSG_DSACLS_RIGHT 8016
;#define MSG_DSACLS_PROCESSED 8017
;#define MSG_DSACLS_EFFECTIVE 8018
;#define MSG_DSACLS_INHERITED 8019
;#define MSG_DSACLS_INHERITED_ALL 8020
;#define MSG_DSACLS_INHERITED_SPECIFIC 8021
;#define MSG_DSACLS_ALLOW 8022
;#define MSG_DSACLS_DENY 8023
;#define MSG_DSACLS_INHERITED_FROM_PARENT 8024
;#define MSG_DSACLS_ACCESS_FOR 8025
;#define MSG_DSACLS_SPECIAL 8026
;#define MSG_DSACLS_NO_ACES 8027
;#define MSG_DSACLS_NO_MATCHING_SID 8028
;#define MSG_DSACLS_NO_MATCHING_GUID 8029
;#define MSG_DSACLS_PROPERTY_PERMISSION_MISMATCH 8030
;#define MSG_DSACLS_EXTENDED_RIGHTS_PERMISSION_MISMATCH 8031
;#define MSG_DSACLS_VALIDATED_RIGHTS_PERMISSION_MISMATCH 8032
;#define MSG_DSACLS_CHILD_OBJECT_PERMISSION_MISMATCH 8033
;#define MSG_DSACLS_INCORRECT_INHERIT 8034
;#define MSG_DSACLS_AUDIT_SUCCESS 8035
;#define MSG_DSACLS_AUDIT_FAILURE 8036
;#define MSG_DSACLS_AUDIT_ALL 8037
;#define MSG_INVALID_OBJECT_PATH 8038
MessageId=8001 SymbolicName=MSG_DSACLS_USAGE
Language=English
Displays or modifies permissions (ACLS) of an Active Directory (AD)
Object
DSACLS object [/I:TSP] [/N] [/P:YN] [/G <group/user>:<perms> [...]]
[/R <group/user> [...]] [/D <group/user>:<perms> [...]]
[/S] [/T] [/A]
object Path to the AD object for which to display or
manipulate the ACLs
Path is the RFC 1779 format of the name, as in
CN=John Doe,OU=Software,OU=Engineering,DC=Widget,DC=com
A specific Active Directory can be denoted by prepending \\server\
to the object, as in
\\ADSERVER\CN=John Doe,OU=Software,OU=Engineering,DC=Widget,DC=US
no options displays the security on the object.
/I Inheritance flags:
T: This object and sub objects
S: Sub objects only
P: Propagate inheritable permissions one level only.
/N Replaces the current access on the object, instead of
editing it.
/P Mark the object as protected
Y:Yes
N:No
If /P option is not present, current protection flag is
maintained.
/G <group/user>:<perms>
Grant specified group (or user) specified permissions.
See below for format of <group/user> and <perms>
/D <group/user>:<perms>
Deny specified group (or user) specified permissions.
See below for format of <group/user> and <perms>
/R <group/user> Remove all permissions for the specified group (or user).
See below for format of <group/user>
/S Restore the security on the object to the default for
that object class as defined in AD Schema.
/T Restore the security on the tree of objects to the
default for the object class.
This switch is valid only with the /S option.
/A When displaying the security on an Active Directory object,
display the ownership and auditing information as well as
the permissions
<user/group> should be in the following forms:
group@domain or domain\group
user@domain or domain\user
<perms> should be in the following form:
[Permission bits];[Object/Property];[Inherited Object Type]
Permission bits can have the following values concatenated together:
Generic Permissions
GR Generic Read
GE Generic Execute
GW Generic Write
GA Generic All
Specific Permissions
SD Delete
DT Delete an object and all of it's children
RC Read security information
WD Change security information
WO Change owner information
LC List the children of an object
CC Create child object
DC Delete a child object
For these two permissions, if [Object/Property] is
not specified to define a specific child object type,
they apply all types of child objects otherwise they
apply to that specific child object type.
WS Write to self object
Meaningful only on Group objects and when [Object/Property]
is filled in as "member"
WP Write property
RP Read property
For these two permissions, if [Object/Property] is not
specified to define a specific property, they apply to
all properties of the object otherwise they apply to that
specific property of the object.
CA Control access right
For this permission, if [Object/Property] is not specified
to define the specific "extended right" for control access,
it applies to all control accesses meaningful on the
object, otherwise it applies to the specific extended right
for that object.
LO List the object access. Can be used to grant
list access to a specific object if
List Children (LC) is not granted to the parent as
well can denied on specific objects to hide those objects
if the user/group has LC on the parent.
NOTE: Active Directory does NOT enforce this permission
by default, it has to be configured to start checking for
this permission.
[Object/Property]
must be the display name of the object type or the property.
for example "user" is the display name for user objects and
"telephone number" is the display name for telephone number property.
[Inherited Object Type]
must be the display name of the object type that the permissions
are expected to be inherited to. The permissions MUST be Inherit Only.
NOTE: This must only be used when defining object specific permissions
that override the default permissions defined in the AD schema for that
object type. USE THIS WITH CAUTION and ONLY IF YOU UNDERSTAND object
specific permissions.
Examples of a valid <perms> would be:
SDRCWDWO;;user
means:
Delete, Read security information, Change security information and
Change ownership permissions on objects of type "user".
CCDC;group;
means:
Create child and Delete child permissions to create/delete objects
of type group.
RPWP;telephonenumber;
means:
read property and write property permissions on telephone number
property
You can specify more than one user in a command.
.