| Author | Messages | |
danholme
Posts:113
 | | 05/05/2008 2:00 PM |
| Joe:
In your previous post (AD DELEGATION = ACL MESS) you mentioned
delegating the ability to create OUs but NOT to then be able to create
child objects.
What exactly do you mean? Are you thinking about using OWNER RIGHTS as
a way to do that? If so, I get it, if not, please elaborate...
THANKS!!!
| | | |
| listmail
Posts:321
| | 05/05/2008 3:10 PM |
| Yep. 
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Monday, May 05, 2008 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Create OUs but not subobjects
Joe:
In your previous post (AD DELEGATION = ACL MESS) you mentioned delegating
the ability to create OUs but NOT to then be able to create child objects.
What exactly do you mean? Are you thinking about using OWNER RIGHTS as a
way to do that? If so, I get it, if not, please elaborate. THANKS!!!
| | | |
| rmscheck
Posts:38
| | 05/05/2008 9:54 PM |
| Ooh, please go on about Owner Rights.. my curiousity is peaked.
joe <listmail@joeware.net> wrote: @font-face { font-family: Cambria Math; } @font-face { font-family: Calibri; } @page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; } P.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } LI.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } DIV.MsoNormal { FONT-SIZE: 11pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Calibri","sans-serif" } A:link { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlink { COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99 } A:visited { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.MsoHyperlinkFollowed { COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99 } SPAN.EmailStyle17 { COLOR: windowtext; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-compose } .MsoChpDefault { mso-style-type: export-only } DIV.Section1 { page:
Section1 } Yep.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
---------------------------------
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Monday, May 05, 2008 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Create OUs but not subobjects
Joe:
In your previous post (AD DELEGATION = ACL MESS) you mentioned delegating the ability to create OUs but NOT to then be able to create child objects.
What exactly do you mean? Are you thinking about using OWNER RIGHTS as a way to do that? If so, I get it, if not, please elaborate
THANKS!!!
---------------------------------
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.
| | | |
| danholme
Posts:113
| | 05/06/2008 12:10 AM |
| Owner Rights is a new identity in Vista and 2008.
It allows you to specify the ACEs applied to the *current* owner of an
object (whereas Creator/Owner "stamped" explicit ACEs to the original
creator, which were not changed automatically when ownership changed).
It also allows you to OVERRIDE the owner's "right" to modify the
security descriptor (i.e. change permissions) on their own objects.
It's available anywhere there's an ACL (files, folders, registry, Active
Directory).
A typical scenario would involve adding this permission to the ACL of a
folder:
Owner Rights::Allow::Modify
This means that an Owner gets "modify" permission, and cannot change
permissions on something he/she creates even though Windows would
normally give them a built in right to do so. (It does not apply to
Administrators, for obvious reasons, though if you assign DENY
permissions to Owner Rights and an Admin is an owner, it sucks to work
around it)
Note that if the current owner gets permissions from other ACEs (e.g. is
a member of a group that has "Change Permission" permission), then (s)he
will be able to change permissions... but that's because of normal ACL
"effective permissions"-the key is that the Owner Rights specifies, in a
way, the "minimum" permissions the owner gets, overriding the user right
to change the SD, and overrided only by explicit Denies (stay away from
those!)
In AD, that means you can set an ACL on the domain or on an OU that says
that the Owner Rights gets certain ACEs, but not "Create [insert child
object type here]" permission. As long as you do NOT include "Change
Permissions" for Owner Rights, the creator of an object (e.g. an OU)
cannot create new objects within that OU, and cannot change the SD to
give themselves the permission to.
OK, I just read this and it's written in crazy talk. Sorry. Late
night. But you can start with this. We'll clarify later.
Dan
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar
Sent: Monday, May 05, 2008 3:50 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Create OUs but not subobjects
Ooh, please go on about Owner Rights.. my curiousity is peaked.
joe <listmail@joeware.net> wrote:
Yep.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Monday, May 05, 2008 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Create OUs but not subobjects
Joe:
In your previous post (AD DELEGATION = ACL MESS) you mentioned
delegating the ability to create OUs but NOT to then be able to create
child objects.
What exactly do you mean? Are you thinking about using OWNER RIGHTS as
a way to do that? If so, I get it, if not, please elaborate...
THANKS!!!
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try
it now.
<http://us.rd.yahoo.com/evt=51733/*http:/mobile.yahoo.com/;_ylt=Ahu06i62
sR8HDtDypao8Wcj9tAcJ%20>
| | | |
| deji
Posts:109
| | 05/06/2008 12:15 AM |
| http://blogs.dirteam.com/blogs/jorge/archive/2008/02/21/delegated-permissions-and-owner-permissions.aspx
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.name<http://www.akomolafe.name/> - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
________________________________
From: ActiveDir-owner@mail.activedir.org [ActiveDir-owner@mail.activedir.org] On Behalf Of Rand Salazar [rmscheck@yahoo.com]
Sent: Monday, May 05, 2008 6:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Create OUs but not subobjects
Ooh, please go on about Owner Rights.. my curiousity is peaked.
joe <listmail@joeware.net> wrote:
Yep.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
________________________________
From: ActiveDir-owner@mail.activedir.org [mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Dan Holme
Sent: Monday, May 05, 2008 1:58 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Create OUs but not subobjects
Joe:
In your previous post (AD DELEGATION = ACL MESS) you mentioned delegating the ability to create OUs but NOT to then be able to create child objects.
What exactly do you mean? Are you thinking about using OWNER RIGHTS as a way to do that? If so, I get it, if not, please elaborate… THANKS!!!
________________________________
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.<http://us.rd.yahoo.com/evt=51733/*http://mobile.yahoo.com/;_ylt=Ahu06i62sR8HDtDypao8Wcj9tAcJ>
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx
| | | |
|
|