The ACEs in the ACL on the file server are maintained by the LSA on that
server. ACLs on member servers are nothing to do with AD really. AD is used
to verify the SIDs in the ACLs when necessary, but it's the local LSA that's
doing the authorisation (based on the information in one's security token which
AD participates in generating).
Managing the ACLs is the client's job, not the DCs job. I don't see this
changing in the future. It would be far to complex and expensive to have the
DCs manage this kind of stuff. The whole MSFT client-server design is based on
the client systems doing most of the leg work. Clients always use servers.
Servers don't use clients.
--Paul
----- Original Message -----
From: Yann
To: ActiveDir@mail.activedir.org
Sent: Thursday, January 04, 2007 10:35 AM
Subject: RE : RE: [ActiveDir] SID Deleted users remains in NTS permission.
Thanks for replying.
You say that it is normal that the sid still remains in file & directory ACLs
after the deletion of the corresponding group ??
I always thought that sids *HAVE TO* disapear dynamically on all existing
ACLs set on file server.
I'm a bit surprise that the system (AD<->file server) leave this dirty sid
and that there is no synchronisation that updates the "link" between the AD
object and the ACE....
What is the reason ? could this behavior be altering ?
I'd like sid disappears after deletion of the corresponding group in AD in
order to not have this dirty SIDs...
Thanks.
Yann
"Akomolafe, Deji" <[EMAIL PROTECTED]> a écrit :
It's "normal". You should be permissioning your resources with groups
instead of directly with user accounts. Groups tend to last longer, so you
don't have to deal with the horrible SIDs.
Sincerely,
_____
(, / | /) /) /)
/---| (/_ ______ ___// _ // _
) / |_/(__(_) // (_(_)(/_(_(_/(__(/_
(_/ /)
(/
Microsoft MVP - Directory Services
www.akomolafe.com - we know IT
-5.75, -3.23
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
----------------------------------------------------------------------------
From: Yann
Sent: Thu 1/4/2007 1:52 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] SID Deleted users remains in NTS permission.
Hello all & Happy new year ! :)
AD 2k3 sp1 in FFL mode.
When i delete a user or group from AD, and these objects have permissions
on ntfs permissions, i usually see their sids remaining in those file &
directory ACLs.
Is this normal ? If not,what could be the reason(s) & how to investigate
this issue ?
Thanks,
Yann
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
__________________________________________________
Do You Yahoo!?
En finir avec le spam? Yahoo! Mail vous offre la meilleure protection
possible contre les messages non sollicités
http://mail.yahoo.fr Yahoo! Mail
