Re: [ActiveDir] ldp in ADAM-SP1

Matheesha Weerasinghe Mon, 24 Jul 2006 11:45:15 -0700

Joe

joe I see you were configuring Full Control (GA) for nTDSConnection
objects by configuring perms on the parent nTDSDSA object. I was
trying to actually configure full control to the nTDSDSA using perms
on the CN=Sites object but the principal is the same I guess. The only
thing is nTDSConnection objects cant have child objects can they?
Still I am having some issues repro'ing. You said your workaround was
to configure on the object types. Did you mean to configure explicitly
on the object or on the parent with the child's object type specified
in the ACE? I cant repro here and I am not sure whether you used
dsacls or ldp to repro.


And why does it not choose the "Access System Security" option when
you edit a Full Control ACE? Is that expected? I thought full control
meant everything. Not everything but "Access System Security".

Also how come there is no string defined for "Access System Security"?
There is for all other access masks.

I freely admit I know very little in this arena. Any lesson offered is
most appreciated. I am already reading technet and many books by the
fine guys on here. I just havent finished them yet ;-)

Thanks to everyone who's read this so far and for all the help I am
offered. I truly appreciate it.

Sincerely

M@


On 7/24/06, joe <[EMAIL PROTECTED]> wrote:

Beautiful, this is bug week....

There are actually two bugs here.

1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).

2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.


G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe                          FULL CONTROL
Allow TEST\Domain Admins                SPECIAL ACCESS
                                       DELETE
                                       READ PERMISSONS
                                       WRITE PERMISSIONS
                                       CHANGE OWNERSHIP
                                       CREATE CHILD
                                       LIST CONTENTS
                                       WRITE SELF
                                       WRITE PROPERTY
                                       READ PROPERTY
                                       DELETE TREE
                                       LIST OBJECT
                                       CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users  SPECIAL ACCESS
                                       READ PERMISSONS
                                       LIST CONTENTS
                                       READ PROPERTY
                                       LIST OBJECT
Allow NT AUTHORITY\SYSTEM               FULL CONTROL
Allow TEST\Domain Admins                FULL CONTROL   <Inherited from
parent>
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from
parent>

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain Admins                FULL CONTROL   <Inherited from
parent>
Allow TEST\Enterprise Admins            FULL CONTROL   <Inherited from
parent>

Inherited to nTDSConnection
Allow TEST\joe                          FULL CONTROL
The command completed successfully



So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.


I will alert MSFT.

  joe




--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] ldp in ADAM-SP1

All

Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.

Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.

Regards

M@
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ldp in ADAM-SP1

Reply via email to