Yes, definitely not a firewall, I just wanted to pipe up with that to feel
useful...
This is permissions in AD. Since those permissions are set on the default SD
in the schema for user objects, someone/thing cleared the self ACE for WP
Personal Information...
If I were a gambling man... I would say look for the following symptoms:
O adminCount attribute set on these user objects (probably a 1)
O Inheritance is turned off on the ACL
O Most of the perms you see on most userids are missing
If these are true you probably have adminSdHolder kicking you in the seat of
the pants. Were these folks at any point (including right this second)
Admins, Domain Admins, Enterprise Admins, Account Ops, Server Ops, Backup
Ops, etc etc ad nauseum? If so this is your issue. Those IDs are, by
default, locked down in a protected state so people can't futz with them.
The only permission adminSdHolder'ed objects get for SELF is SELF Change
Password. You can get more info on adminSDHolder by searching the archives
of this list or going to google and searching for it.
You may find recommendations to CHANGE the permissions on adminSdHolder, I
for the most part, do not agree with that. Your admins should have two IDs,
one that is an admin ID, one that isn't. The one that isn't they can modify
their personal info on to their hearts content, the admin one, tell them
hands off.
Now if you don't have those symptoms above, it would greatly help the
troubleshooting process if you collected a DSACLS dump of one of the userids
in question and posted it...
Ex:
[Tue 04/13/2004 21:38:58.26]
F:\DEV\cpp\MemberOf>dsacls CN=$joebobadmindude,CN=Users,DC=joe,DC=com
Access list:
{This object is protected from inheriting permissions from the parent}
Effective Permissions on this object are:
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow JOE\Domain Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow JOE\Enterprise Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow BUILTIN\Administrators SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account
Restrictions
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account
Restrictions
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
Membership
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
Membership
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General
Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General
Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote
Access Information
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote
Access Information
READ PROPERTY
Allow JOE\Cert Publishers SPECIAL ACCESS for
userCertificate
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Windows Authorization Access Group SPECIAL ACCESS for
tokenGroupsGlobalAndUniversal
READ PROPERTY
Allow BUILTIN\Terminal Server License Servers SPECIAL ACCESS for
terminalServer
WRITE PROPERTY
READ PROPERTY
Allow Everyone Change Password
Allow NT AUTHORITY\SELF Change Password
The command completed successfully
[Tue 04/13/2004 21:39:04.93]
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Douglas M. Long
Sent: Tuesday, April 13, 2004 10:09 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Firewall
The attributes are actually greyed out, and not even editable. I have no
errors in the event log, all of the users that are having the problem (which
i now now is not related to the firewall, due to the fact that I just found
an instance proving otherwise...one more variable out of the way) have the
same GPOs, there are using the same DNS, and the same version and patch
level of XP. I can't think of any other things to check. Any other ideas?
Thanks
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Robbie Foust
Sent: Tuesday, April 13, 2004 9:46 AM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Firewall
I'm not using the XP firewall yet, but I'll consider it with SP2 since it is
much better. The built in firewall isn't supposed to interfere with
communications with DC's, I think. Are you getting any specific error
message when users try to edit their attributes? Or do they just not have
permission to do so? Check the event logs to see if there are any errors.
Robbie Foust, IT Analyst
Systems and Core Services
Duke University
Douglas M. Long wrote:
> Do you all force your XP clients to have the built-in firewall
> enabled? Are there any cons (such as some GPs not working) to having
> it enabled? The reason I ask is I am having a problem finding the
> culprit which is causing some users the inability to edit their
> "editable" (phone number, homepage, address, etc) attributes. Thanks
> in advance
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
