Apologies as Im
reading in digest. But I just wanted to chip something into this surrounding OUs
versus groups as it was something that Ive been thinking about on my
mind-numbing commute.
I understood that RODCs
could be configured to be a read only subset of objects (users) from the
/lurkerHi All,Forgive me a second whilst I ramble on 'cos thisIS going to be a ramble, then shoot me down in flames at the end!The problem with DR is getting the data from somewhere. Typically we go back to tape, which depending on when the last successful backup took place gives you a
Whoa, yep perhaps I didn't ramble enough!Simply, whoops I've lost something out of the directory. I need to get that stuff back. Where can i get the stuff back from:- tape - another
DC - perhaps deleted object restoration by some other 3rd party or another custom written process,
dsHeuristics can be used to control whether the 'list contents' ACE has an affect. So if the attribute is set to 001 then this means that if you haven't got list contents permission on a container then you can't see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list
Aha. It is down to shoddy cut and pastes then. Sorted.The 3rd bit controls the "list object"behaviour not "list contents". The former is only available to use in an ACE if the 3rd bit is set to 1. If it's set to 0 or "not set" then "list contents" is available but not "list object".This
Alain,
Superb, setting the options in advance allowed me to get the SACLs correctly. Pity that it doesn't seem to be reflected in any other literature.
Virtual pint on it's way or at least a purchase of your book!
Thanks,
Paul.
From: "Alain Lissoir" [EMAIL PROTECTED]Subject: RE: [ActiveDir]
I'm trying to modify the sacls on an object. Every document/book/google demostrates how to do this by get the ntSecurityDescriptor of an object and then obtaining a handle to the SACL by referencing .SystemAcl from the descriptor.
Nice except that when you try and get the object you get an
Suspend all sanity for a
moment. Im not wandering down the route of trusted and untrusted
administrators, thats just how I arrived at this point. Simply Im
just curious about the possibility of modifying systemFlags. If you try through
ldp or adsiedit you get errors general around the
I want to prevent a collection of administrative users from deleting certain objects/containers etc now I could set up some more acl's on these objects or I suppose that I could wander off and buy a product off the shelf to offer that protection. But looking at it some of these products do
I keep wading through lots of news groupposts that keep citing the same 2 MS KB articles. I need a bit of confirmation
# Account lockout is an urgent rep trigger, but this only means intra-site.
# For inter-site the lockout reps as per the schedule.
# To get lockout to rep urgently inter-site
I am currently in the process of scripting up some GPs to import into an AD. As part of thisI need to add a filter to a couple of the policies to deny a group read access. (Putting the reasons for doing this aside for the minute.). I'm trying to find a way to do this, I've tried using the
Anyone know of a way to identify how long a dc has until it's next
replication cycle? DC's must maintain some type of countdown timer so that
they know when to start a replication connection, trouble is finding if it's
in an easy to grab place. If I look at a box I'm after seeing how long
before
...maybe a little late in the day...
I'm assuming that the users are in the Active Directory in which case this
isn't an issue it's by design. Otherwise you'd be having users circumventing
desktop restrictions by finding a machine in another trusted domain.
Perhaps what you should actually be
13 matches
Mail list logo