There is much in ldp I dont know. Everything I do know, I learned from John Craddock's book and the understanding ldap whitepaper from MSFT.
Thanks for all the help so far joe and Dmitri . If I wanted to get my TAM to get the updated version of ldp as it stands, what QFE number should I quote? The more I look into this the more insane I get ;-) Why is the Extended Right is defined with the string "SW" in the sddl format but dsacls uses "WS". Different access masks have different names depending on what I read. "Read permissions" in ldp is "Read Control" in the docs. "Extended write" in ldp is "Write to self" in dsacls. At least thats how I understood it. I may have to make my own notes on this. If I ever have to read this stuff and the delegation docs I am definitely going to go nuts. Would it be fare to say we can do all we need definitely using scripts? Or is that also not definite? You see, until recently I was reading this delegation doc with a grin from ear-to-ear thinking yeah! And now I am not so .... Before I break down and cry like Homer, I'm gonna go get some Zzzzzzzzzzzzzz! Cheers M@ On 7/24/06, Dmitri Gavrilov <[EMAIL PROTECTED]> wrote:
Re "Access System Security" checkbox. We removed it from the latest versions of ldp.exe because it does not do what you want. Even if you grant this right to some principal, he will still be unable to read or tweak the SACLs. The only way to be able to do this is to grant SE_ACCESS_SYSTEM_SECURITY privilege. You do this from gpedit.msc (security settings/User rights assignments). On a more general note -- yes, AD security is a mess to manage and to understand. We are trying to improve it, but it is super super difficult task. Not only the rules are difficult to understand and are numerous, but also we need to respect the existing security setups which use weird ACLs. There were several attempts to improve things, but I don't believe we are getting closer, mostly due to backward compatibility issues, as well as due to the need to introduce new rules (such as confidentiality bit and many new control access rights). BTW, the Delegation Wizard is considered to be the "entry-level" ACLing tool. Alas, it does not work for ADAM. Dmitri -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Monday, July 24, 2006 1:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] ldp in ADAM-SP1 Yeah what I was doing was setting a FC ACE for connection objects only. If you want to cover multiple objects for this you would need to specify multiple objectclasses which would result in multiple ACEs which is not a good option. Which means, use a different tool as the bugs in the current version of LDP make that difficult for this specific task. In my tests, I was specifically using LDP from ADAM SP1. But for what you want to do, use ADUC or DSACLS. As an aside, I emailed Matheesha directly a little while ago when my first email was lost in limbo waiting to be sent out by the list. A version of LDP that doesn't have this issue should be in Longhorn when it is released. The developer quickly fixed the first bug I mentioned this morning after I pinged him and it seems the second bug had already been corrected. This folks is the power of this list.... Take note. I am not entirely positive what the "Access system security" is supposed to be... This is not an issue in later versions of LDP... I would say read the chapters on security in the AD book, then if you don't have it, get and read Sakari's book as that has a great chapter on AD security and then finally if you still want to learn more, wander into the MSDN library and start reading about Security Descriptors, Access Control Lists, and Access Control Entries. Once you understand the structures and how they are represented a lot of the security stuff starts making more and more sense. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 2:03 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the "Access System Security" option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but "Access System Security". Also how come there is no string defined for "Access System Security"? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe <[EMAIL PROTECTED]> wrote: > Beautiful, this is bug week.... > > There are actually two bugs here. > > 1. The inherit only check box is greyed out. This is the checkbox you would > need to check in order to specify an inherit only ACE (i.e. Child > Objects Only). > > 2. When you try to work around it and specify the actual object types > to inherit to it creates two ACEs instead of one. The first ACE is the > FC inherit only to the object class you specify but then there is also > a FC to > the object itself. In the example below note the TEST\joe ACEs... I > only added a single FC for nTDSConnection objects for test\joe but got > that AND the non-inheritable Test\joe FC on the object itself. > > > G:\>dsacls "\\r2dc1\CN=NTDS > Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Conf igur > ation,DC=test,DC=loc" > Access list: > Effective Permissions on this object are: > Allow TEST\joe FULL CONTROL > Allow TEST\Domain Admins SPECIAL ACCESS > DELETE > READ PERMISSONS > WRITE PERMISSIONS > CHANGE OWNERSHIP > CREATE CHILD > LIST CONTENTS > WRITE SELF > WRITE PROPERTY > READ PROPERTY > DELETE TREE > LIST OBJECT > CONTROL ACCESS Allow NT > AUTHORITY\Authenticated Users SPECIAL ACCESS > READ PERMISSONS > LIST CONTENTS > READ PROPERTY > LIST OBJECT > Allow NT AUTHORITY\SYSTEM FULL CONTROL > Allow TEST\Domain Admins FULL CONTROL <Inherited from > parent> > Allow TEST\Enterprise Admins FULL CONTROL <Inherited from > parent> > > Permissions inherited to subobjects are: > Inherited to all subobjects > Allow TEST\Domain Admins FULL CONTROL <Inherited from > parent> > Allow TEST\Enterprise Admins FULL CONTROL <Inherited from > parent> > > Inherited to nTDSConnection > Allow TEST\joe FULL CONTROL > The command completed successfully > > > > So in order to generate a generic FC that is only inherited, you > can't, because of bug 1 do it with LDP. If you want to create an ACE > for a specific > objectclass (which nTDSConnection should be ok in terms of what you > are trying to delegate) it can do it but you have to go back and clean > up the the additional ACE created by bug 2. > > > I will alert MSFT. > > joe > > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha > Weerasinghe > Sent: Monday, July 24, 2006 8:12 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] ldp in ADAM-SP1 > > All > > Could someone with more experience with ldp provided with ADAM-SP1 > tell me how I would go about configuring inherit-only Full Control > permissions on nTDSDSA objects in the > CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms > options is grayed out here and I dont know how to do it. > > Based on joe's comments I assumed the ldp.exe's ACL editor is the most > comprehensive and capable ACL gui editor available. I must be doing > something wrong here so I would appreciate some help. > > Regards > > M@ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
