Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro.
And why does it not choose the "Access System Security" option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but "Access System Security". Also how come there is no string defined for "Access System Security"? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe <[EMAIL PROTECTED]> wrote:
Beautiful, this is bug week.... There are actually two bugs here. 1. The inherit only check box is greyed out. This is the checkbox you would need to check in order to specify an inherit only ACE (i.e. Child Objects Only). 2. When you try to work around it and specify the actual object types to inherit to it creates two ACEs instead of one. The first ACE is the FC inherit only to the object class you specify but then there is also a FC to the object itself. In the example below note the TEST\joe ACEs... I only added a single FC for nTDSConnection objects for test\joe but got that AND the non-inheritable Test\joe FC on the object itself. G:\>dsacls "\\r2dc1\CN=NTDS Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur ation,DC=test,DC=loc" Access list: Effective Permissions on this object are: Allow TEST\joe FULL CONTROL Allow TEST\Domain Admins SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY DELETE TREE LIST OBJECT CONTROL ACCESS Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS READ PERMISSONS LIST CONTENTS READ PROPERTY LIST OBJECT Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow TEST\Domain Admins FULL CONTROL <Inherited from parent> Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent> Permissions inherited to subobjects are: Inherited to all subobjects Allow TEST\Domain Admins FULL CONTROL <Inherited from parent> Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent> Inherited to nTDSConnection Allow TEST\joe FULL CONTROL The command completed successfully So in order to generate a generic FC that is only inherited, you can't, because of bug 1 do it with LDP. If you want to create an ACE for a specific objectclass (which nTDSConnection should be ok in terms of what you are trying to delegate) it can do it but you have to go back and clean up the the additional ACE created by bug 2. I will alert MSFT. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 8:12 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] ldp in ADAM-SP1 All Could someone with more experience with ldp provided with ADAM-SP1 tell me how I would go about configuring inherit-only Full Control permissions on nTDSDSA objects in the CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms options is grayed out here and I dont know how to do it. Based on joe's comments I assumed the ldp.exe's ACL editor is the most comprehensive and capable ACL gui editor available. I must be doing something wrong here so I would appreciate some help. Regards M@ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx