There are three things currently handled in the extended-rights container of objectclass controlAccessRight.
Validated Writes Property Sets Extended Rights These are differentiated by the validAccesses attribute[1]. Quickly it lays out like Validated Writes have validAccess value of 8 Property Sets have validAccesses value of 32 Extended Rights have validAccess value of 256 While they are the same objectclass and in the same container, they are not the same things. The attributeSecurityGUID is used to tie schema objects to property sets. Validated Rights and Extended Rights are hardcoded into the OS. While you could add those types of objects, you wouldn't get anything out of the OS with them, you would need to write your application(s) to use them. Now there are some things that are a bit confusing... The rightsGuid of "Add/Remove self as member" is the same as the member attribute's schemaIDGUID. This means that if you don't use the correct access mask the permission will not be written properly and many programs and scripts (including several of mine) actually display this incorrectly. If the mask is a CA grant/deny (control access) then the permission is for "Add/Remove self as member", if the mask is anything else, it is the member schema attribute. It gets even worse with the rightsGUID of "Validated wite to DNS host name" is also the rightsGUID of the property set "DNS Host Name Attributes" AND the schemaIDGUID of the attribute dNSHostName. I've actually been meaning to blog this for a while now as I keep fielding questions in email and the newsgroups about it. Seems like a lot of people are actually really looking at that stuff finally. I reported the DNS GUIDs item to MSFT back after K3 came out as I didn't think it was right. I still don't think it is the right way to handle it but too late to change now. It just adds a bunch of confusion to something that doesn't need the confusion because it is already too confusing. As for the second part... I have been asked that and actually people have insisted it is a bug in my code so much that I did blog it. http://blog.joeware.net/2005/12/17/173/ joe [1] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/contr ol_access_rights.asp -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, June 19, 2006 5:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on rightsguid All I've been doing a little digging into AD and was wondering why the rightsguid for the validated-spn and the self-membership validated rights doesn't have objects in the schema with matching attributesecurityguid values. Is it correct to assume that there should be objects in the schema with attributesecurityguid values to match each rightsguid values of each controlaccess object? Or is rightsguid only really important for propertysets? Also I noticed when I used joe's adfind to list objects which had the rightsguid value from validated-dns-host-name, the filter listed the same rightsguid value in a different format. i.e adfind -propsetmembers:72e39547-7b18-11d1-adef-00c04fd8d5cd attributesecurityguid" was expanded as Transformed Filter: (&(objectcategory=attributeschema)(attributeSecurityGUID=G\9 5\E3r\18\7B\D1\11\AD\EF\00\C0O\D8\D5\CD)) I deduced G=47, r=72 etc.. Can anyone explain the above for me? Cheers M@ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
