RE: [ActiveDir] List object mode

[joe]

This is a guess but...   You have two rights/permissions associated with listing an object.   1. ADS_RIGHT_ACTRL_DS_LIST - list child  (aka list contents). This is a permission that would be set on an OU to say that a secprin had the ability to list subobjects of the OU.   2. ADS_RIGHT_DS_LIST_OBJECT - list object. Thi sis the permission that is set on specific objects to say that a secprin can list that object.    This second right/perm is the one enabled/disabled with the dsheuristics setting.   This would seemingly logically mean you have at least two objects to check ACLs on to ALLOW the ability to list the object. I would further surmise that if you have multiple objects within a subOU or subOU structure you would have to check every subobject's ACL instead of just the OU's ACL to list the DNs of the objects directly under an OU (i.e. one level). At best if you had n objects at a single level within an OU you would have n+1 checks. One check for the OU and one check for every single object. At worst that would be n*2 with the OU being checked every time an object is also checked.       joe       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Monday, December 13, 2004 4:26 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode there is always something new to learn ;-)  Thanks Eric, I wasn't aware of that one (but I can confirm that I've never noticed any difference in performance myself).    Can you elaborate a little as to why a double ACL check is required?    /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, December 13, 2004 3:52 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode The typical negative thing associated with list_object mode is the double ACL check required which can have a performance overhead. I couldn’t quantify what “perf overhead” means as frankly I’ve never seen a number from the test team on what that overhead is, but it is exists, and perhaps in some cases is measurable. It is probably quite small in the aggregate though.   I would venture to guess that in order to really feel the overhead one would need a pretty serious load, and single instance store of SDs makes this even more true (caching benefits felt there), and you’d need a query load that lends itself to having this overhead (some probably do not). But that last bit is speculation on my part.   ~Eric     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido Sent: Sunday, December 12, 2004 2:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] List object mode   Hello Mika - I have not found any negative effects by List object mode on other apps whatsoever. And there shouldn't be any either, since it doesn't change the underlying security mechanisms at all.  It merely gives you the option to distinguish between the list content and list object permission, which would otherwise always be applied in parallel (i.e. you don't even see the list object permission, but it's always applied when you grant the list content right, e.g. when you grant read permissions on an OU).   I've used it for quite a few companies already and it works like a charm. Realize that the theory behind the list object permission is rather easy (allows you to distinguish which objects someone can see in an OU - such as only specific sub-OUs). However, correctly leveraging list object mode does add complexity to the overall security modell and requires people that really know what they're doing.   People need to fully understand the various permissions granted by default in AD and then need to take some of these away (mainly the Read-Permission for Auth. Users on OUs) before they can take advantage of the list object permissions in the first place. They also need to understand the impact on GPOs, as the required permissions to read GPOs are usually granted via the Auth. User permission on an OU... - so you need to mimik these permissions as well (not only for users, but also for the computer accounts).   Usually it's those companies that have a distinct desire to tighten security in AD - these will also invest in the extra time needed to plan the security model and to manage it in the longrun. Thus, the list object permission is nothing that you'd just want to leverage for the fun of it or because it's cool - if there's a business case (i.e. need to restrict what people can see in AD), then it makes sense, otherwise it doesn't.   /Guido   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen Sent: Sunday, December 12, 2004 6:16 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] List object mode I haven't found too many comments discussing the use of list object mode in production environments. Anybody care to share their experiences when enabling the list object mode. Has it affected applications running on top of AD such as Exchange & SMS?   Thanks in advance Mika