Re: [ActiveDir] ldp in ADAM-SP1

Matheesha Weerasinghe Mon, 24 Jul 2006 09:03:40 -0700

I dunno about you guys but I am very disappointed with the tools
available to me for configuring perms. dsacls can configure most perms
but cant configure control access rights to certain attribs of certain
objects. (e.g. when you configure an attribute as confidential and
need to allow certain people the control access right to view the
attribute). dsacls also cant display perms that great and gives
details as "special access". In order to see whats special, I have to
use something like acldiag and sdcheck. And then to revoke, yet
another tool dsrevoke which only works on domain objects and OUs.


After reading joe's book I figured ldp.exe from ADAM-SP1, here I come.
Now that also has issues.

I know I can write scripts for handling this. But they are cumbersome
and slow. I think a nice fast C++ tool that does all this would be
much appreciated. I am not sure how hard this is to do. But MSFT
certaintly have the expertise. May be longhorn will ship with
something like that. But I aint holding my breath.

I am no expert and no MVP. I aint convinced my rant is gonna be heeded
to. But please, guys out there with the influence (MVPs) help!!

M@


P.S Please!!!


On 7/24/06, joe <[EMAIL PROTECTED]> wrote:

Beautiful, this is bug week....

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe                          FULL CONTROL
Allow TEST\Domain Admins                SPECIAL ACCESS
                                       DELETE
                                       READ PERMISSONS
                                       WRITE PERMISSIONS
                                       CHANGE OWNERSHIP
                                       CREATE CHILD
                                       LIST CONTENTS
                                       WRITE SELF
                                       WRITE PROPERTY
                                       READ PROPERTY
                                       DELETE TREE
                                       LIST OBJECT
                                       CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
                                       READ PERMISSONS
                                       LIST CONTENTS
                                       READ PROPERTY
                                       LIST OBJECT
Allow NT AUTHORITY\SYSTEM               FULL CONTROL
Allow TEST\Domain Admins                FULL CONTROL   <Inherited from
parent>
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from
parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain Admins                FULL CONTROL   <Inherited from
parent>
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from
parent>

Inherited to nTDSConnection
Allow TEST\joe                          FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ldp in ADAM-SP1

Reply via email to