RE: [ActiveDir] systemFlags

[joe]

And clobbered again but offline this time by someone else who didn't even offer up a ;-).   I feel obligated to say that anyone working around the "officially" correct mechanisms could jeopardize their entire forest. It is sort of like going out into the water 10 minutes after you ate a meatball sub, something bad "could" happen and in fact has happened to someone previously under some particular set of circumstances. It all depends on what things you are doing and how crazy you are getting with it.     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags See, I knew I would get clobbered. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 14, 2005 8:43 PM To: Send - AD mailing list Subject: RE: [ActiveDir] systemFlags You surprise me ... I thought we'd agreed that we were leaving even the suggestion of such 'back-doors' alone ... bad Joe ;-) -- Dean Wells MSEtechnology * Email: dwells@msetechnology.com http://msetechnology.com   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags [Thu 04/14/2005 20:16:01.31] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Modifying specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation    Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1:         0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)       ERROR: Too many errors encountered, terminating...   The command did not complete successfully   The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update.   It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully...     F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com   1 Objects returned   [Thu 04/14/2005 20:22:06.03] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Modifying specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...   The command completed successfully   [Thu 04/14/2005 20:22:52.39] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com >systemFlags: -2147483648   1 Objects returned   [Thu 04/14/2005 20:23:01.32] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:-   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Modifying specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...   The command completed successfully   [Thu 04/14/2005 20:23:29.92] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   Using server: 2k3dc01.joe.com Directory: Windows Server 2003 Base DN: DC=joe,DC=com   dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com   1 Objects returned     [Thu 04/14/2005 20:23:49.17] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Modifying specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation    Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1:         0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags)       ERROR: Too many errors encountered, terminating...   The command did not complete successfully   [Thu 04/14/2005 20:24:02.09] F:\DEV\cpp\SecTok>     Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no one else does... If you don't trust the people who are on your DCs, you are in a very very very bad way.   Oh yeah, but does that disallow of the delete actually work??   [Thu 04/14/2005 20:29:59.01] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Deleting specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform   ERROR: Too many errors encountered, terminating...   The command did not complete successfully     [Thu 04/14/2005 20:30:17.96] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del   AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   DN Count: 1 Using server: 2k3dc01.joe.com Deleting specified objects...    DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...   The command completed successfully         The answer is yes. Possibly that would be a good joeware for sale item. ;oP     joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Saturday, April 09, 2005 12:21 PM To: activedir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags   Suspend all sanity for a moment. I’m not wandering down the route of trusted and untrusted administrators, that’s just how I arrived at this point. Simply I’m just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it’s a system attribute and you can’t modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you’ll screw your AD. Well I’m wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on …. For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what’s getting in my way, the tools, the AD itself….. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that’ll do it. I’ve not yet attempted to write code to fiddle, that’ll be when I’m bored over the next few days.   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 08, 2005 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags How'd you try to edit it?  And why do you let admins have rights if you can't trust them?