Yes - sorry - didn't want to suggest doing that - just
wanted to outline how it works.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, March 20, 2006 10:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolderBut that isperl -e "print \"very \"x1000,\"\n\""dangerous.If you happen to drop one of these objects in an OU that has some inherited permissions defined such as user:FC to some folks with lesser powers then it is all over.But yes, it is a Security Descriptor level mod which includes the ACLs (both DACL and SACL), inheritence setting (aka protected), owner, primary group, etc.Neal: Would you like to alter the list because you would like to add your own custom groups/users to get controlled like that or do you just want to just change what is protected at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Monday, March 20, 2006 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolderHi Neil,as mentioned in my blog entry you are able to change if it applies to the operator-groups (and which).The whole nTSecurityDescriptor is copied, since there is inheritance disabled on the adminSdHolder-Object inheritance is disabled by default on those protected objects as well. If you enable inheritance on the adminSdHolder the objects will inherit permissions.Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 20, 2006 11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolderA few minor additions to other posts in this thread:The list of objects protected by SDPROP is hard coded AFAIK. The SD applied to adminsdholder is then copied to those objects and (by default), all other ACEs are removed and inheritance is disabled too.We discussed changing the list of objects protected in previous threads and concluded that this was not possible. I, for one, would like the flexibility to alter the list.neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: 17 March 2006 20:24
To: activedirectory
Subject: [ActiveDir] AdminSDHolderThis may sound like a stupid question, but here goes-When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE.Where are they listed?How are they protected?What ACL is the PDCE checking to determine what perms should be present for those groups?Thanks and sorry again if this seems really stupid or basic.PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.
