| Author | Messages | |
tkern
Posts:8
 | | 03/17/2006 8:24 AM |
| | Message body was not found. | | | |
| lists1
Posts:6
| | 03/17/2006 10:33 AM |
| Hi Tom,
I do not fully understand what you
mean.
> When MS says that Print Operators, Account
Operators,or Backup Operators are protected by the PDCE checking the ACL on the
AdminSDHolder object, I never see
> those groups in the
ACE.
Wrong - MS does not say that the Operators are
protected by the PDCE checking any ACL. The PDCE runs the process which ensures
that the adminCount Attribut of members of those groups (+ others and accounts
you havent mentioned) is 0, then it resets the Security-Descriptor to be
the same as the AdminSdHolder-Process.
You've never seen ACEs for AOs? Did you check a user,
group, computer, inetorgperson or OU? Account Operators have the right to create
child/delete child on OUs for Users, Groups, Computers, INetOrgPersons, and they
also have Full Control on those Objects.
> Where are they
listed?
Security Tab
> How are they
protected?
See above
> What ACL
is the PDCE checking to determine what perms should be present for those
groups?No ACL, it's checking the groups, and
resets the rights of their members. The adminCount Attribute is
helper.
In the thread before my blog about this was mentioned,
I think it clarifies some stuff:
http://msmvps.com/blogs/ulfbsimonweidner/archive/2005/05/29/49659.aspx
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Friday, March 17, 2006 9:24 PMTo:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or
basic. | | | |
| listmail
Posts:824
| | 03/17/2006 11:29 AM |
| The SDPROP thread monitors groups/users that are considered
"sensitive" and if the SD of one of those objects is not the same as what is on
the adminSDHolder object, that SD is applied to the object. They are not
specified in the ACL on the adminSDHolder object because they shouldn't have
permissions over those sensitive objects.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Friday, March 17, 2006 3:24 PMTo:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I never
see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present for
those groups?
Thanks and sorry again if this seems really stupid or
basic. | | | |
| listmail
Posts:824
| | 03/18/2006 2:16 AM |
| The SD of the adminSDHolder object is the
nTSecurityDescriptor attribute of that object. It is in the System container of
the domain in question.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Friday, March 17, 2006 7:26 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir]
AdminSDHolder
when you say " if the SD of one of those objects is not the same as what is
on the adminSDHolder object...", where on the adminSDHolder object are these
values kept that help it determine the SD?
Thanks
On 3/17/06, joe
wrote:
The SDPROP
thread monitors groups/users that are considered "sensitive" and if the SD of
one of those objects is not the same as what is on the adminSDHolder object,
that SD is applied to the object. They are not specified in the ACL on the
adminSDHolder object because they shouldn't have permissions over those
sensitive objects.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Friday, March 17, 2006 3:24 PMTo:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or
basic. | | | |
| tkern
Posts:8
| | 03/18/2006 12:27 PM |
| The SDPROP thread monitors groups/users that are considered "sensitive" and if the SD of one of those objects is not the same as what is on the adminSDHolder object, that SD is applied to the object. They are not specified in the ACL on the adminSDHolder object because they shouldn't have permissions over those sensitive objects.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom KernSent: Friday, March 17, 2006 3:24 PMTo: activedirectorySubject: [ActiveDir] AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present for those groups?
Thanks and sorry again if this seems really stupid or basic. | | | |
| lists1
Posts:6
| | 03/18/2006 12:41 PM |
| The securityDescriptor of the adminSdHolder is copied to be
the same as the securityDescriptor of the Object in Question. Just look at the
Security-Tab of both, they are the same. If you change to one of a protected
Object (adminCount 0) it will be reset to be the same within one
hour.
AdminSdHolder is a object which has IMHO no specific use,
just to hold a securityDescriptor to use as template.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Saturday, March 18, 2006 1:26 AMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: Re: [ActiveDir]
AdminSDHolder
when you say " if the SD of one of those objects is not the same as what
is on the adminSDHolder object...", where on the adminSDHolder object are
these values kept that help it determine the SD?
Thanks
On 3/17/06, joe
wrote:
The
SDPROP thread monitors groups/users that are considered "sensitive" and if
the SD of one of those objects is not the same as what is on the
adminSDHolder object, that SD is applied to the object. They are not
specified in the ACL on the adminSDHolder object because they shouldn't have
permissions over those sensitive objects.
--
O'Reilly
Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx [mailto:
ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: Friday, March 17, 2006 3:24 PMTo:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup
Operators are protected by the PDCE checking the ACL on the AdminSDHolder
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or
basic. | | | |
| tech4steve
Posts:17
| | 03/20/2006 3:53 AM |
| You can remove ( but not add )
You can remove any of the following:
Account Operators
Server Operators
Print Operators
Backup Operators
See
http://support.microsoft.com/kb/817433
steve
----- Original Message -----
From:
neil.ruston@xxxxxxxxxxxxx
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Sent: Monday, March 20, 2006 2:00
AM
Subject: RE: [ActiveDir]
AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies. | | | |
| lists1
Posts:6
| | 03/20/2006 8:34 AM |
| Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies. | | | |
| listmail
Posts:824
| | 03/20/2006 9:29 AM |
| But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such as user:FC to some folks
with lesser powers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL), inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want to just change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies. | | | |
| lists1
Posts:6
| | 03/20/2006 9:47 AM |
| Yes - sorry - didn't want to suggest doing that - just
wanted to outline how it works.
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: Monday, March 20, 2006 10:27 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such as user:FC to some folks
with lesser powers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL), inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want to just change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if
it applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die
Expertentipps": http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and
(by default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup
Operators are protected by the PDCE checking the ACL on the AdminSDHolder
object, I never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of
this email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in
reliance on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1)
is not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and
do not necessarily represent those of NIplc; (3) is intended
for
informational purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A
4NP. A member of the Nomura group of companies. | | | |
| AD000001290
Posts:0
| | 03/20/2006 10:02 AM |
| A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I never
see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present for
those groups?
Thanks and sorry again if this seems really stupid or
basic.PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| AD000001290
Posts:0
| | 03/21/2006 8:18 AM |
| Neal: Would you like to alter the list because you
would like to add your own custom groups/users to get controlled like that or do
you just want to just change what is protected at
all?
joe: the
former
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 20 March 2006 21:27To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such as user:FC to some folks
with lesser powers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL), inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want to just change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies. | | | |
| listmail
Posts:824
| | 03/22/2006 2:23 AM |
| OK thanks, I have made a note. I will bring it up when I am
with someone who could make a difference with it. I have also made a note in the
folder that has suggestions for future joeware and/or Deviant Software
tools/solutions.
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Tuesday, March 21, 2006 3:16
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
Neal: Would you like to alter the list because you
would like to add your own custom groups/users to get controlled like that or do
you just want to just change what is protected at
all?
joe: the
former
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
joeSent: 20 March 2006 21:27To:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such as user:FC to some folks
with lesser powers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL), inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want to just change what is protected at all?
--
O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Ulf B.
Simon-WeidnerSent: Monday, March 20, 2006 3:32 PMTo:
ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE: [ActiveDir]
AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz Weblog:
http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org Profile: http://mvp.support.microsoft.com/profile="">
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
neil.ruston@xxxxxxxxxxxxxSent: Monday, March 20, 2006 11:01
AMTo: ActiveDir@xxxxxxxxxxxxxxxxxxSubject: RE:
[ActiveDir] AdminSDHolder
A few minor additions to other posts in this
thread:
The list of objects protected by SDPROP is hard coded
AFAIK. The SD applied to adminsdholder is then copied to those objects and (by
default), all other ACEs are removed and inheritance is disabled
too.
We discussed changing the list of objects protected in
previous threads and concluded that this was not possible. I, for one, would
like the flexibility to alter the list.
neil
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Tom
KernSent: 17 March 2006 20:24To:
activedirectorySubject: [ActiveDir]
AdminSDHolder
This may sound like a stupid question, but here goes-
When MS says that Print Operators, Account Operators,or Backup Operators
are protected by the PDCE checking the ACL on the AdminSDHolder object, I
never see those groups in the ACE.
Where are they listed?
How are they protected?
What ACL is the PDCE checking to determine what perms should be present
for those groups?
Thanks and sorry again if this seems really stupid or basic.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura
International plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the
presence of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought
then please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment
research; (2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or
sell securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT
No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP.
A member of the Nomura group of companies.
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies. | | | |
|
|