Heres the dump of the acl for one of the OUs im looking at. I have
changed the usernames to protect the innocent, but the group in question
is called "Password Managers";
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow MYDOMAIN\Domain Admins FULL CONTROL
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow MYDOMAIN\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Account Operators SPECIAL ACCESS for
group
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for
user
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for
computer
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Print Operators SPECIAL ACCESS for
printQueue
CREATE CHILD
DELETE CHILD
Allow MYDOMAIN\USER2 SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Password Managers SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\USER1 SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY
Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS
for gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS
for gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow BUILTIN\Administrators SPECIAL ACCESS
<Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow MYDOMAIN\Enterprise Admins FULL CONTROL
<Inherited from parent>
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
LIST CONTENTS
Allow MYDOMAIN\USER2 SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Password Managers SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\USER1 SPECIAL ACCESS for
msExchHideFromAddressLists
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
Public Information <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
Personal Information <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
groupType <Inherited from parent>
WRITE PROPERTY
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS for
displayName <Inherited from parent>
WRITE PROPERTY
Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS
for gPOptions <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow TRUSTED_DOMAIN\USER3 SPECIAL ACCESS
for gPLink <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow NT AUTHORITY\SELF SPECIAL ACCESS for
description <Inherited from parent>
WRITE PROPERTY
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow MYDOMAIN\Exchange Enterprise Servers SPECIAL ACCESS
<Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow MYDOMAIN\USER1 Reset Password
Allow MYDOMAIN\Password Managers SPECIAL ACCESS for
pwdLastSet
WRITE PROPERTY
Allow MYDOMAIN\Password Managers Reset Password
Allow MYDOMAIN\USER2 Reset Password
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
