RE: [ActiveDir] Hidden objects
What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hidden objects
Well on reflection, the answer to this regardless of objecttype would be to run an enumeration routing as localsystem and as the admin ID you want to find things that may be hidden from and then compare the results. If the object is a user or group you could try using the NET API to see if lets you see it where the LDAP calls won't. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hidden objects
Actually better would probably be dumpDatabase. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 11:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects Well on reflection, the answer to this regardless of objecttype would be to run an enumeration routing as localsystem and as the admin ID you want to find things that may be hidden from and then compare the results. If the object is a user or group you could try using the NET API to see if lets you see it where the LDAP calls won't. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, August 21, 2005 1:48 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Hidden objects What type of object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Hidden objects
It dSHeuristics is not set, the directory will behave per its defaults. Default behavior does NOT include a means to completely abstract an object from _anybody's_ view (not just an admins.). However, it can be achieved in a roundabout fashion if the user in question does NOT have permission sufficient to navigate through the hidden object's parent hierarchy ... if this is the case, an object within a containment item of some kind to which you do not have permission will effectively be hidden until such time as you restore permission to the parent(s). -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, August 16, 2005 10:23 AM To: activedirectory Subject: [ActiveDir] Hidden objects Is there anyway to tell if someone hid an object(s) in AD from a DA? dSHeurstics attrib doesn't have a value set. Does that mean no? After using dscals, it seems Authenticated users have list contents on every object in AD that I checked. Based on these 2 things, is it pretty safe to assume nothing is probably hidden? thanks List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
