And clobbered again but offline this time by someone else
who didn't even offer up a ;-).
I feel obligated to say that anyone working around the
"officially" correct mechanisms could jeopardize their entire forest. It is sort
of like going out into the water 10 minutes after you ate a meatball sub,
something bad "could" happen and in fact has happened to someone previously
under some particular set of circumstances. It all depends on what things you
are doing and how crazy you are getting with it.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 10:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags See, I knew I would get clobbered.
:) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, April 14, 2005 8:43 PM To: Send - AD mailing list Subject: RE: [ActiveDir] systemFlags You
surprise me ... I thought we'd agreed that we were leaving even the
suggestion of such 'back-doors' alone ... bad Joe ;-)
-- http://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, April 14, 2005 8:32 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags [Thu
04/14/2005 20:16:01.31]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1: 0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too
many errors encountered, terminating...
The
command did not complete successfully
The directory itself is purposely throwing the error. The
DSID tells you exactly where in the source the error is being thrown from and
looking at the source it is because this attribute is reserved for update.
It is however, possible to update, I will not share
that mechanism as I may get clobbered for it. You can find the mechanism in
public archives though if you look carefully...
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default
systemflags
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
1 Objects returned [Thu 04/14/2005
20:22:06.03]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command
completed successfully
[Thu 04/14/2005 20:22:52.39] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005
20:23:01.32]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command
completed successfully
[Thu 04/14/2005
20:23:29.92]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
1 Objects returned [Thu 04/14/2005
20:23:49.17]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1: 0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many
errors encountered, terminating...
The command did
not complete successfully
[Thu 04/14/2005 20:24:02.09] F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can
get interactive access on your DC can take over your forest" argument. Just
because one person doesn't know how to do it doesn't mean no one else does... If
you don't trust the people who are on your DCs, you are in a very very very bad
way.
Oh yeah, but does that disallow of the delete actually
work??
[Thu 04/14/2005 20:29:59.01]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
DN Count: 1
Using server: 2k3dc01.joe.com Deleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The
command did not complete successfully
[Thu
04/14/2005 20:30:17.96]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Deleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The
command completed successfully
The answer is yes. Possibly that would be a good joeware
for sale item. ;oP
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Saturday, April 09, 2005 12:21 PM To: activedir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags
Suspend all sanity for a moment. I’m not wandering down the route of trusted and untrusted administrators, that’s just how I arrived at this point. Simply I’m just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it’s a system attribute and you can’t modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you’ll screw your AD. Well I’m wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on …. For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what’s getting in my way, the tools, the AD itself….. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that’ll do it. I’ve not yet attempted to write code to fiddle, that’ll be when I’m bored over the next few days.
From: [EMAIL PROTECTED] [mailto:[EMAIL
PROTECTED] On Behalf Of Mulnick,
Al How'd you try to edit it? And why do you let admins have rights if you can't trust them?
|