Neal: Would you like to alter the list because you
would like to add your own custom groups/users to get controlled like that or do
you just want to just change what is protected at
all?
joe: the
former
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 20 March 2006 21:27
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder
But that is
perl -e "print \"very
\"x1000,\"\n\""
dangerous.
If you happen to drop one of these objects in an OU that
has some inherited permissions defined such as user:FC to some folks
with lesser powers then it is all over.
But yes, it is a Security Descriptor level mod which
includes the ACLs (both DACL and SACL), inheritence setting (aka
protected), owner, primary group, etc.
Neal: Would you like to alter the list because you would
like to add your own custom groups/users to get controlled like that or do you
just want to just change what is protected at all?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Monday, March 20, 2006 3:32 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolder
Hi Neil,
as mentioned in my blog entry you are able to change if it
applies to the operator-groups (and which).
The whole nTSecurityDescriptor is copied, since there is
inheritance disabled on the adminSdHolder-Object inheritance is disabled by
default on those protected objects as well. If you enable inheritance on the
adminSdHolder the objects will inherit permissions.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
MVP-Book "Windows XP - Die Expertentipps":
http://tinyurl.com/44zcz
Weblog:
http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
Profile: http://mvp.support.microsoft.com/profile="">
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Monday, March 20, 2006 11:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] AdminSDHolderA few minor additions to other posts in this thread:The list of objects protected by SDPROP is hard coded AFAIK. The SD applied to adminsdholder is then copied to those objects and (by default), all other ACEs are removed and inheritance is disabled too.We discussed changing the list of objects protected in previous threads and concluded that this was not possible. I, for one, would like the flexibility to alter the list.neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern
Sent: 17 March 2006 20:24
To: activedirectory
Subject: [ActiveDir] AdminSDHolderThis may sound like a stupid question, but here goes-When MS says that Print Operators, Account Operators,or Backup Operators are protected by the PDCE checking the ACL on the AdminSDHolder object, I never see those groups in the ACE.Where are they listed?How are they protected?What ACL is the PDCE checking to determine what perms should be present for those groups?Thanks and sorry again if this seems really stupid or basic.PLEASE READ: The information contained in this email is confidential andintended for the named recipient(s) only. If you are not an intendedrecipient of this email please notify the sender immediately and delete yourcopy from your system. You must not copy, distribute or take any furtheraction in reliance on it. Email is not a secure method of communication andNomura International plc ('NIplc') will not, to the extent permitted by law,accept responsibility or liability for (a) the accuracy or completeness of,or (b) the presence of any virus, worm or similar malicious or disablingcode in, this message or any attachment(s) to it. If verification of thisemail is sought then please request a hard copy. Unless otherwise statedthis email: (1) is not, and should not be treated or relied upon as,investment research; (2) contains views or opinions that are solely those ofthe author and do not necessarily represent those of NIplc; (3) is intendedfor informational purposes only and is not a recommendation, solicitation oroffer to buy or sell securities or related financial instruments. NIplcdoes not provide investment services to private customers. Authorised andregulated by the Financial Services Authority. Registered in Englandno. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,London, EC1A 4NP. A member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.