Adsschema.exe extends the Active Directory schema and typically grants necessary rights. If rights haven't been granted, you can manually assign rights to User objects or to an Organizational Unit object.
To use SecureLogin, a user must have Read and Write rights to the protocom-SSO-Auth-Data, protocom-SSO-Entries, protocom-SSO-Entries-Checksum, protocom-SSO-Profile, protocom-SSO-Security-Prefs, and protocom-SSO-Security-Prefs-Checksum attributes on his or her User object. These rights enable users to add configuration data (for example, a passphrase) and create logins. To verify that these attributes are in the extended schema, see "Verifying the eDirectory Schema" in the Nsure SecureLogin 3.51.2 Installation Guide.
Default rights are set when SecureLogin is installed and the schema is extended for the first time.
If you don't assign rights to SELF, users are unable to read or write SecureLogin attributes.
To assign rights for Active Directory:
Bring up the MMC snap-in.
Click Active Directory Users and Computers > the domain name (for example, inet.nsrd.lab.vmp.com) > Users.
Right-click a container, select Delegate Control, then click Next.
For example, you can select the Users container. Active Directory automatically creates this predefined container. On the other hand, you can select a container that you have created (for example, RDlab).
IMPORTANT: This step is necessary for every container that you want rights to apply to.
If Container objects (for example, OU objects) contain users in subcontainers, you must set up the same rights as the ones assigned to Active Directory's built-in Users container. If branches exist in your Active Directory tree, ensure proper rights by assigning rights for each branch or by assigning rights globally at the Root.
Click Add > SELF.
Click Add > OK.
(Conditional) Click Create a Custom Task to Delegate > Next.
If you selected the predefined Users container, skip this step.
In the Active Directory Object Type window, click Only the Following Objects in the Folder, check the User Objects check box, then click Next.
Set permissions on new schema attributes.
Under Show These Permissions, check the General and Property- Specific check boxes.
In the Permissions list box, check the Read and Write check boxes for the protocom-SSO-Auth-Data, protocom-SSO-Entries, protocom-SSO-Entries-Checksum, protocom-SSO-Profile, protocom-SSO-Security-Prefs, and protocom-SSO-Security-Prefs-Checksum attributes.
Users need rights to corporate objects (for example, corporate scripts and serverPolicyOverride objects). Users can then inherit and use objects that you set up specifically for target users.
Typically, adsschema.exe assigns necessary rights when you assign user rights by container.
To manually accomplish this, set Read and Write permissions for the protocom-SSO-Entries attribute. You need to specify what containers to add rights to.
Bring up the MMC snap-in.
Click Active Directory Users and Computers, select the domain name (for example, inet.nsrd.lab.vmp.com), then click Users.
Right-click the container that you want to apply rights to, click Delegate Control, then click Next.
For example, you can select the Users container. Active Directory automatically creates this predefined container. On the other hand, you can select a container that you have created (for example, RDlab).
If Container objects (for example, OU objects) contain users in subcontainers, you must set up the same rights as the ones assigned to Active Directory's built-in Users container.
If branches exist in your Active Directory tree, ensure proper rights by assigning rights for each branch or by assigning rights globally at the Root.
(Conditional) Click Create a Custom Task to Delegate, then click Next.
If you selected the predefined Users container, skip this step.
In the Active Directory Object Type window, click This Folder, Existing Objects in This Folder, and Creation of New Objects in This Folder, then click Next.
Set rights (permissions) on new schema attributes.
Click Next, then click Finish.