Handling account attributes
Bravura Security Fabric lists all attributes on Windows NT compatible system by default. For increased efficiency, you can restrict listing to specific attributes.
You can view the complete list of attributes that Bravura Security Fabric can manage, including native and pseudo-attributes, using in the Manage the system (PSA) module. To do this, select Windows NT server from the Manage the system > Resources > Account attributes > Target system type menu.
The rest of this section describes the attributes that Bravura Security Fabric uses to compose values, set flags, or control behavior on Windows server. For information about the native Windows server attributes managed by Bravura Security Fabric , consult your Windows server documentation.
accountdisable By default, when creating a new account the accountdisable attribute is set to false by Bravura Security Fabric so that the new account is enabled. The value of the corresponding Account disabled checkbox in Windows server is not copied from the template account.
passwd_cant_change Bravura Security Fabric can copy from the template or set the value of the User Cannot Change Password checkbox in Windows server, using the attribute passwd_cant_change .
_shareas If the _shareas pseudo-attribute is Set , Bravura Security Fabric creates a share for the user’s home directory. Use this pseudo-attribute to specify the share name.
_homedir_share_acl If the _shareas pseudo-attribute is Set , the _homedir_share_acl pseudo-attribute controls the permissions of users that access the share. It corresponds to the Permissions button on a share folder.
_pathtohomedir Normally, Bravura Security Fabric creates a user’s home folder based on the home_dir attribute. However, if the path to a user’s home folder is different from the actual Windows server attribute, you can use the _pathtohomedir pseudo-attribute to create the path. For example:
The value of the user’s actual home_dir attribute is the share name:
\\myserver\<userid>But the path to a user’s home folder is:
\\myserver\F$\Users\<userid>In order for Bravura Security Fabric to create the path specified by the _pathtohomedir pseudo-attribute, the Configured action for the home_dir attribute must also be Set.
_homedir_acl The _homedir_acl pseudo-attribute allows you to Set the ACLs on the newly created folder. Its value is the Windows security DACL (discretionary access control list) string representation, for example:
D:PAI(A;OICI;FA;;;S-1-5-21-839522115-746137067-854245398-1004)You can use the
dumpaclanddumpsidprograms, included with Bravura Security Fabric , to help you write this string.See:
For more information about access controls and DACL string formats, you can visit:
home_dir The home_dir pseudo attribute supports copy from template and set to a specified value actions. The copy action creates the user’s home directory with appropriate security settings, and copies files from model user accounts. When using the set action, these things must be done manually.
_homedir_option The _homedir_option pseudo-attribute controls how Bravura Security Fabric should handle home directories, upon deletion of the owner’s account. You can set the value of _homedir_option to either:
delete– delete the home directory (default)Bravura Security Fabric does not delete this directory if it contains certain system files, for example, boot.ini .
nodelete– do not delete the home directoryYou can override the configured action/value for the _homedir_option pseudo-attribute only at the target system and target type levels.
_sup_homedir_option This attribute is currently not used.
Most Windows server account attributes are named to clearly identify the corresponding functions in the User Manager in Windows server. The following are mentioned here for clarity:
Attribute | Corresponds to … |
|---|---|
password_expired | User Must Change Password at Next Login |
profile | User Profile Path |
script_path | Login Script Name |
The Bravura Security Fabric Windows server connector will not allow you to set conflicting values for the password_expired and passwd_cant_change attributes. For example, if you to set the password_expired attribute to expired, the connector will clear the passwd_cant_change flag so that the user can change his or her password.
Use the dumpacl program to view the elements of an object’s security descriptor. A security descriptor contains data and security information for a securable object in Windows. For more information search for security descriptors at:
http://msdn.microsoft.com/library/
This program is useful, for example, when configuring the _homedir_acl attribute for Microsoft Windows NT target systems, or creating Notes ID files for Lotus Notes users.
Usage
Run dumpacl with the following arguments:
dumpacl.exe [-dacl] [-sacl] [-owner] [-group] [-share] <filepath>
Argument | Description |
|---|---|
<filepath> | Specifies the path to the object. |
-dacl | Displays the DACL (discretionary access control list) for the object. |
-sacl | Displays the SACL (systems access control list) for the object. |
-owner | Displays the object’s owner. |
-group | Displays the object’s primary group. |
-share | Indicates that the filepath is a network share. |
See also
dumpsid is a similar program used to view an object’s security identifier (SID).
Use the dumpsid program to view an object’s security identifier (SID). An SID is a unique number that identifies user, group, and computer accounts in Windows. SIDs play a role in security descriptors and access control lists.
Usage
dumpsid.exe [\\<server>\]<userid>
See also
dumpacl is a similar program used to view elements of an object’s security descriptor.