RE: [ActiveDir] dsHeuristics and list object access mode

[Grillenmeier, Guido]

The DSheuristics setting activates or de-activates the List Object permission, not the List Content permission - however, you have to use both in conjunction to reach most goals in respect to hiding data in AD. I've created this table for other stuff I'm working on to clarify the confusion a bit.

 

(btw, the first two bits of this setting are also important, but not for permissioning - they control name resolution during AD searches.)

 

/Guido

 

 

Granted Permissions on…		Result
Organizational Unit	Child Objects
List Contents and List Object	N/A	The List Object permission on the OU makes the OU visible. As List Contents is also granted to the OU, this will take precedence over any missing List Object permissions for child objects and AD will automatically list all objects in the container. A delegated administrator can browse to the OU and all child objects with ADUC. An LDAP Query for all objects will return OU and ALL child objects.
List Object (List Contents not granted or denied)	List Object	The List Object permission on the OU makes the OU visible. If List Contents is not granted or if it is denied AND if List Object is granted to the container object (OU), AD will evaluate the List Object permission for the child objects and only list those, where the List Object (or Read) permission has been granted. A delegated administrator can browse to the OU with ADUC and selected child objects. An LDAP Query for all objects will return OU and only those child objects, where List Object permissions have been granted
List Contents (List Object not granted or denied)	N/A	The OU will NOT be visible. As List Contents is granted to the OU, this will take precedence over any missing List Object permissions for child objects and AD will automatically list all objects in the container. A delegated administrator cannot browse to the OU or child objects in ADUC. An LDAP Query for all objects will NOT return the OU object, but ALL of its child objects.
Neither List Contents nor List Object is granted	N/A	The OU will NOT be visible. As neither List Contents nor List Object is granted to the container object (OU), AD will NOT evaluate any permission of the child objects. A delegated administrator cannot browse to the OU or child objects in ADUC. An LDAP Query for all objects will NOT return the OU or any of its child objects.

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Mittwoch, 14. Dezember 2005 16:07
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] dsHeuristics and list object access mode

dsHeuristics can be used to control whether the 'list contents' ACE has an affect. So if the attribute is set to 001 then this means that if you haven't got list contents permission on a container then you can't see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list contents doesn't matter so much and you can see what's under a container without explicit list contents rights just as an authenticated user.

 

At least this is what I've finally arrived at by reading different contradictary sources. I'm still a bit sceptical by all of this, indeed I reckon that somewhere along the various cut and paste jobs someone has got totally the wrong idea. So this has all started me off doing some experimenting.........

 

No matter what state the dsHeuristics attribute is set to <not set>, 000 or 001. (<not set being the equiv if all zeros.). Removal of the list contents right stops someone looking at what lives under the object. Likewise granting it lets whoever has the permission go through the contents.

 

So I'm looking for some clarification from practical experience as I no longer believe the spin that says you need to set dsHeuristics to 001 (or full 001000..... equivalent) to be able to effectively use or remove the 'list contents' permission.

 

Does list object access mode work irrespective of the third bit of the dsHeuristics value for other people?

 

If it makes no difference, as I'm seeing, what does that value actually do as it doesn't seem to tie up with what some people are claiming?

 

fast environment facts:

Win2003 Ent SP1

Win2003 domain func

Win2000 forest func

dsHeuristics value fiddled with on cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, ...