RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain,
We set the revision level in the security
descriptor in the meta code. And it indeed works fine. Thanks for all your time
and guidance. This has indeed come out to be a product defect.
Thanks again,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005 2:49
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Rebuild because the revision required is
not set. When building a security descriptor under Windows, you are building an
object containing ACE (DACL and SACL).
Doing this on Windows is easy as we have
the APIs for it (Win32, ADSI, WMI, etc ...)
Under Unix by manipulating an SDDL string
to construct the security descriptor is an other story as don't have the API to
build the MS security descriptor... but I'm pretty sure that your problem comes
from the fact that the revision level is not set properly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 8:15
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
For solving this error, Microsoft says,
rebuild security object. What does this imply? And how can I rebuild the
security object?
Any help, would be beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 2:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi Alain,
This error is being returned by the meta
directory server. For which I dont have the access to code. At them most
I can find the reason and try to eliminate it.
I would be just converting the binary SID
to text transformation and give it to the Meta
directory for settings.
Any idea why this would be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005
12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Have you been checking the script sample I
gave in the attached mail? It shows the value required for the revision level.
ADS_ACL_REVISION_DS is set to 4.
objDACL.AclRevision =
ADS_ACL_REVISION_DS
' Self
Trustee
Set objACE = CreateObject(AccessControlEntry)
objACE.Trustee = Self
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _
E2K_MB_FULL_MB_ACCESS Or _
E2K_MB_SEND_AS
objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objACE
Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 4:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the
revision level is unknown.
Any known issue you know that might be
causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 6:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Hi All,
Found a perl function in laman.pm. which
converts sid to string:
sub SidToString
{
return undef
unless unpack(C, substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1));
my $sid_str = S-1-;
$sid_str .= (unpack(C, substr($_[0], 7, 1)) +
(unpack(C, substr($_[0], 6, 1)) 8) +
(unpack(C, substr($_[0], 5, 1))
16) + (unpack(C,substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1)
{
$sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the job.
What all will be required to do the job,
setting mailboxsecurity description and masteraccoundsid is enough? Or do I
also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know any perl module
which converts the binary sid to test sid? The win32 module wont work because
the script will be inoked from HP-UX.
Regards,
Mayuresh.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rick Kingslan
Sent: Thursday, August 11, 2005
3:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Great! You're welcome!
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
KshirsagarSent: Tuesday, August 16, 2005 3:15 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi
Alain,
We set the revision
level in the security descriptor in the meta code. And it indeed works fine.
Thanks for all your time and guidance. This has indeed come out to be a product
defect.
Thanks
again,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alain
LissoirSent: Friday, August
12, 2005 2:49 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Rebuild because the
revision required is not set. When building a security descriptor under Windows,
you are building an object containing ACE (DACL and
SACL).
Doing this on Windows
is easy as we have the APIs for it (Win32, ADSI, WMI, etc
...)
Under Unix by
manipulating an SDDL string to construct the security descriptor is an other
story as don't have the API to build the MS security descriptor... but I'm
pretty sure that your problem comes from the fact that the revision level is not
set properly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 8:15 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
For solving this error,
Microsoft says, rebuild security object. What does this imply? And how can I
rebuild the security object?
Any help, would be
beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 2:36 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi
Alain,
This error is being
returned by the meta directory server. For which I dont have the access to
code. At them most I can find the reason and try to eliminate
it.
I would be just
converting the binary SID to text transformation and give it to the Meta directory for settings.
Any idea why this would
be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alain
LissoirSent: Friday, August
12, 2005 12:07 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Have you been checking
the script sample I gave in the attached mail? It shows the value required for
the revision level.
ADS_ACL_REVISION_DS is
set to 4.
objDACL.AclRevision = ADS_ACL_REVISION_DS
'
"Self" Trustee Set objACE =
CreateObject("AccessControlEntry") objACE.Trustee =
"Self" objACE.AceType =
ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask =
E2K_MB_READ_PERMISSIONS Or
_
E2K_MB_FULL_MB_ACCESS Or
_
E2K_MB_SEND_AS objACE.AceFlags =
ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce
objACE Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 4:59 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the revision
level is unknown.
Any known issue you
know that might be causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 6:32 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
Hi
All,
Found a perl function
in laman.pm. which converts sid to string:
sub
SidToString
{
return undef
unless unpack("C", substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1,
1));
my $sid_str = "S-1-";
$sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6,
1)) 8) +
(unpack("C", substr($_[0], 5, 1)) 16) +
(unpack("C",substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack("C", substr($_[0], 1, 1)) -
1)
{
$sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the
job.
What all will be
required to do the job, setting mailboxsecurity description and masteraccoundsid
is enough? Or do I also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 7:55 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know
any perl module which converts the binary sid to test sid? The win32 module wont
work be
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain / All,
So will this mean that there is no problem
with the descriptor that I am setting? Should it be a problem with the Meta directory code? All I can do is try to build the
descriptor. But the job of setting it is done by the Meta
directory agent code. I tried a sample _vbscript_ available on the Microsoft site
for doing this from the same machine and it worked fine.
Is there any converted that would convert
the string security descriptor to text one, so that I can create a binary value
before hand and feed it to the meta directory?
Regards,
Mayuresh.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005 2:49
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Rebuild because the revision required is
not set. When building a security descriptor under Windows, you are building an
object containing ACE (DACL and SACL).
Doing this on Windows is easy as we have
the APIs for it (Win32, ADSI, WMI, etc ...)
Under Unix by manipulating an SDDL string
to construct the security descriptor is an other story as don't have the API to
build the MS security descriptor... but I'm pretty sure that your problem comes
from the fact that the revision level is not set properly.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 8:15
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
For solving this error, Microsoft says,
rebuild security object. What does this imply? And how can I rebuild the
security object?
Any help, would be beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 2:36
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi Alain,
This error is being returned by the meta
directory server. For which I dont have the access to code. At them most
I can find the reason and try to eliminate it.
I would be just converting the binary SID
to text transformation and give it to the Meta
directory for settings.
Any idea why this would be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005
12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Have you been checking the script sample I
gave in the attached mail? It shows the value required for the revision level.
ADS_ACL_REVISION_DS is set to 4.
objDACL.AclRevision =
ADS_ACL_REVISION_DS
' Self
Trustee
Set objACE = CreateObject(AccessControlEntry)
objACE.Trustee = Self
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _
E2K_MB_FULL_MB_ACCESS Or _
E2K_MB_SEND_AS
objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objACE
Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 4:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the
revision level is unknown.
Any known issue you know that might be
causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 6:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Hi All,
Found a perl function in laman.pm. which
converts sid to string:
sub SidToString
{
return undef
unless unpack(C, substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1));
my $sid_str = S-1-;
$sid_str .= (unpack(C, substr($_[0], 7, 1)) +
(unpack(C, substr($_[0], 6, 1)) 8) +
(unpack(C, substr($_[0], 5, 1))
16) + (unpack(C,substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1)
{
$sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the job.
What all will be required to do the job,
setting mailboxsecurity description and masteraccoundsid is enough? Or do I
also need something else.
Thanks,
Mayuresh.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know any perl module
which converts the binary sid to test sid? The win32 module wont work because
the script
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the
revision level is unknown.
Any known issue you know that might be
causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 6:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Hi All,
Found a perl function in laman.pm. which
converts sid to string:
sub SidToString
{
return undef
unless unpack(C, substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1));
my $sid_str = S-1-;
$sid_str .= (unpack(C, substr($_[0], 7, 1)) +
(unpack(C, substr($_[0], 6, 1)) 8) +
(unpack(C, substr($_[0], 5, 1))
16) + (unpack(C,substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1)
{
$sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the job.
What all will be required to do the job,
setting mailboxsecurity description and masteraccoundsid is enough? Or do I
also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know any perl module
which converts the binary sid to test sid? The win32 module wont work because
the script will be inoked from HP-UX.
Regards,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, August 11, 2005
3:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
In the example above, you have a classic
output that contains SDDL (Security Descriptor Definition Language)
O:sid is the SID of the owner
G:sid is the SID of the group
D: is a DACL
Ill let you look over the rest and
determine what you have in your strings..
http://msdn.microsoft.com/library/default.asp?url="">
Rick
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005 11:10
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Using a newer version of ldp I could
gather the following things:
The mailbox users have the following
attribute set.
usert -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
ZZZFFF -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);
ZZZGGG -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);
ZZZJJJ -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)
This part was common for all entries.
S-1-5-21-3308934242-2785796821-2776977491-
is the objectSID for the object in the other domain to whom I want to give
permissions. Also the attribute msExchMasterAccountSid is set to the value of
object sid.
But this part *** (A;CI;CCLCRC;;; ***
before the objectsid, differs in some entries. What are all these fields? How
can I find out these values programmatically and make a single attribute value
which I can then give to the meta directory for setting?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
3:33 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Yes. But I want to do it using scripting +
Meta directory server.
The steps I understand until now is that:
give
appropriate permissions in the security tab to the user in different
domain.
give
appropriate permissions in the Mailbox right.
Since my Meta
directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there
be other ways? I understand that I would have to set the
msexchmailboxsecuritydescriptor attribute. How can I generate a binary value
for this using a perl script, so that I can give this value to the meta dir to
process and set in the exchange entry.
From:
[EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain,
This error is being returned by the meta
directory server. For which I dont have the access to code. At them most
I can find the reason and try to eliminate it.
I would be just converting the binary SID
to text transformation and give it to the Meta
directory for settings.
Any idea why this would be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir
Sent: Friday, August 12, 2005
12:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Have you been checking the script sample I
gave in the attached mail? It shows the value required for the revision level.
ADS_ACL_REVISION_DS is set to 4.
objDACL.AclRevision =
ADS_ACL_REVISION_DS
' Self
Trustee
Set objACE = CreateObject(AccessControlEntry)
objACE.Trustee = Self
objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED
objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _
E2K_MB_FULL_MB_ACCESS Or _
E2K_MB_SEND_AS
objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE
objDACL.AddAce objACE
Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 4:59
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the
revision level is unknown.
Any known issue you know that might be
causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Friday, August 12, 2005 6:32
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Hi All,
Found a perl function in laman.pm. which
converts sid to string:
sub SidToString
{
return undef
unless unpack(C, substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1));
my $sid_str = S-1-;
$sid_str .= (unpack(C, substr($_[0], 7, 1)) +
(unpack(C, substr($_[0], 6, 1)) 8) +
(unpack(C, substr($_[0], 5, 1))
16) + (unpack(C,substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1)
{
$sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the job.
What all will be required to do the job,
setting mailboxsecurity description and masteraccoundsid is enough? Or do I also
need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
7:55 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know any perl module
which converts the binary sid to test sid? The win32 module wont work because
the script will be inoked from HP-UX.
Regards,
Mayuresh.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Rick Kingslan
Sent: Thursday, August 11, 2005
3:39 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
In the example above, you have a classic
output that contains SDDL (Security Descriptor Definition Language)
O:sid is the SID of the owner
G:sid is the SID of the group
D: is a DACL
Ill let you look over the rest and
determine what you have in your strings..
http://msdn.microsoft.com/library/default.asp?url="">
Rick
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar
Sent: Thursday, August 11, 2005
11:10 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] MailBox
permissioning
Using a newer version of ldp I could
gather the following things:
The mailbox users have the following
attribute set.
usert -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
ZZZFFF -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372);
ZZZGGG -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368);
ZZZJJJ -
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369);
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)
This part was common fo
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Rebuild because the revision required is not set. When building a
security descriptor under Windows, you are building an object containing ACE
(DACL and SACL).
Doing this on Windows is easy as we have the APIs for it (Win32,
ADSI, WMI, etc ...)
Under Unix by manipulating an SDDL string to construct the
security descriptor is an other story as don't have the API to build the MS
security descriptor... but I'm pretty sure that your problem comes from the fact
that the revision level is not set properly.
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh
KshirsagarSent: Friday, August 12, 2005 8:15 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is unknown
For solving this error,
Microsoft says, rebuild security object. What does this imply? And how can I
rebuild the security object?
Any help, would be
beneficial.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 2:36 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi
Alain,
This error is being
returned by the meta directory server. For which I dont have the access to
code. At them most I can find the reason and try to eliminate
it.
I would be just
converting the binary SID to text transformation and give it to the Meta directory for settings.
Any idea why this would
be caused?
Regards,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Alain
LissoirSent: Friday, August
12, 2005 12:07 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Have you been checking
the script sample I gave in the attached mail? It shows the value required for
the revision level.
ADS_ACL_REVISION_DS is
set to 4.
objDACL.AclRevision = ADS_ACL_REVISION_DS
'
"Self" Trustee Set objACE =
CreateObject("AccessControlEntry") objACE.Trustee =
"Self" objACE.AceType =
ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask =
E2K_MB_READ_PERMISSIONS Or
_
E2K_MB_FULL_MB_ACCESS Or
_
E2K_MB_SEND_AS objACE.AceFlags =
ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce
objACE Set objACE = Nothing
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 4:59 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning - Error - the revision level is
unknown
Hi,
I tried setting the
msexchmailboxsecuritydescriptor attribute. But am facing an error the revision
level is unknown.
Any known issue you
know that might be causing this?
Thanks,
Mayuresh
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Friday, August
12, 2005 6:32 AMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
Hi
All,
Found a perl function
in laman.pm. which converts sid to string:
sub
SidToString
{
return undef
unless unpack("C", substr($_[0], 0, 1)) == 1;
return undef
unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1,
1));
my $sid_str = "S-1-";
$sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6,
1)) 8) +
(unpack("C", substr($_[0], 5, 1)) 16) +
(unpack("C",substr($_[0], 4, 1)) 24));
for $loop (0 .. unpack("C", substr($_[0], 1, 1)) -
1)
{
$sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8,
4));
}
return $sid_str;
}
Hope this will do the
job.
What all will be
required to do the job, setting mailboxsecurity description and masteraccoundsid
is enough? Or do I also need something else.
Thanks,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Mayuresh
KshirsagarSent: Thursday,
August 11, 2005 7:55 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
Thanks for the pointer.
Also does anyone know
any perl module which converts the binary sid to test sid? The win32 module wont
work because the script will be inoked from HP-UX.
Regards,
Mayuresh.
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rick
KingslanSent: Thursday, August
11, 2005 3:39 PMTo:
ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox
permissioning
O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370);
In the example above,
you have a classic output that contains SDDL (Security Descriptor Definition
Language)
O:sid is the SID of the
owner
G:sid is the SID of the
group
D: is a
DACL
Ill let you look over
the rest and determine what you have in your
strings..
http://msdn.microsoft.co
