Expand nTSecurityDescriptor attribute on group object


we want to add the nTSecurityDescriptor attribute on group objects via the Active Roles (5.2.4) Web Interface.

Our problem is, that we only see the three right "read", "write" and "full control" (see attached file "ntsecuritydescriptorAR.jpg"), when we add the attribute to the Web Interface.

If I control these attribute via Active Directory, I have much more rights to select (see attached file "ntsecuritydescriptor.jpg).

Why can't we see these "additional" right via the Active Roles Web Interface?

Is there a special "edsa attribute" for this?



Additional Attachments:


  • ARS Web UI does not support editing AD permissions, only file and share permissions.
    Technically, Web UI can't present so-called "object-specific" Access Control Entries (see this MSDN article for details: msdn2.microsoft.com/.../aa379293(VS.85).aspx).

    What scenario do you need to cover? Probably, I would be able to suggest a solution here.

  • Hi Andrei,

    in our environment, we have one centralized it-team and several decentralized it-teams. the decentrlized teams can only use the actice roles webinterface to manage their ad objects. Each team have access to their own OU.

    In this specific szenario, the dezentralized admins must have the ability, to delegate rights like "Add/Remove Self as Member" or "Send as" to distribution groups.

    Without this ability the decentralized admins must contact us (central it team) and we must set theses rights.

  • In reply to frank m.:

    Hi Frank, digging out this old rat... Did you manage to configure this as I'm struggling with this ability for our Helpdesk as well.
  • In reply to bezibaerchen:

    For the records: I was able to solve the SendAs issue by creating / altering an access template permitting read/write for the helpdesk group to edsvaSendAsTrustees and customized the WI to display and edit this.
  • In reply to bezibaerchen:

    Good job! It's always worth a look to see if there exists an AR "calculated" virtual attribute that can help to simplify some of the more complex AD ones.