I dunno about you guys but I am very disappointed with the tools available to me for configuring perms. dsacls can configure most perms but cant configure control access rights to certain attribs of certain objects. (e.g. when you configure an attribute as confidential and need to allow certain people the control access right to view the attribute). dsacls also cant display perms that great and gives details as "special access". In order to see whats special, I have to use something like acldiag and sdcheck. And then to revoke, yet another tool dsrevoke which only works on domain objects and OUs.
After reading joe's book I figured ldp.exe from ADAM-SP1, here I come. Now that also has issues. I know I can write scripts for handling this. But they are cumbersome and slow. I think a nice fast C++ tool that does all this would be much appreciated. I am not sure how hard this is to do. But MSFT certaintly have the expertise. May be longhorn will ship with something like that. But I aint holding my breath. I am no expert and no MVP. I aint convinced my rant is gonna be heeded to. But please, guys out there with the influence (MVPs) help!! M@ P.S Please!!! On 7/24/06, joe <[EMAIL PROTECTED]> wrote:
Beautiful, this is bug week.... There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\>dsacls "\\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc" Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain Admins SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain Admins FULL CONTROL <Inherited from parent> Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent> Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain Admins FULL CONTROL <Inherited from parent> Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent> Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx