All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets?
Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid" was expanded as Transformed Filter: (&(objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx