RE: [ActiveDir] Applying Permissions to 'cn=Schema' Container

[joe]

You have to modify the Schema container because the Schema FSMO is all about the Schema container. It is right and logical that you control who can do it by modifying permissions on it.

 

Another solution would be don't delegate that. It isn't something that really shouldn't need to be moved all that much anyway.

 

--

O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm 

 

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Levendyan
Sent: Wednesday, November 08, 2006 12:06 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Applying Permissions to 'cn=Schema' Container

Hi All !

 

While reading Best Practices for Delegating Active Directory Administration
(http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en, http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en)
I can see that MSFT recommends using the following permissions while delegating 'Operation Master Roles Management':

 

Seize the Schema Master Role

WP on cn=Schema, cn=Configuration, dc=<ForestRootDomain> to modify the fSMORoleOwner attribute

Extended Right Change-Schema-Master on cn=Schema, cn=Configuration, dc=<ForestRootDomain>

 

The same thing (applying permissions to 'cn=Schema') I can see in many other recommendations there.

Why it is required to apply permissions directly to 'cn=Schema' container and are there any other solutions?

 

Thanks, Ivan.