RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain, We set the revision level in the security descriptor in the meta code. And it indeed works fine. Thanks for all your time and guidance. This has indeed come out to be a product defect. Thanks again, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Great! You're welcome! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Tuesday, August 16, 2005 3:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, We set the revision level in the security descriptor in the meta code. And it indeed works fine. Thanks for all your time and guidance. This has indeed come out to be a product defect. Thanks again, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 2:49 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 12:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' "Self" Trustee Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 4:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack("C", substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1)); my $sid_str = "S-1-"; $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) 8) + (unpack("C", substr($_[0], 5, 1)) 16) + (unpack("C",substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1) { $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work be
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain / All, So will this mean that there is no problem with the descriptor that I am setting? Should it be a problem with the Meta directory code? All I can do is try to build the descriptor. But the job of setting it is done by the Meta directory agent code. I tried a sample _vbscript_ available on the Microsoft site for doing this from the same machine and it worked fine. Is there any converted that would convert the string security descriptor to text one, so that I can create a binary value before hand and feed it to the meta directory? Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 2:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 8:15 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 2:36 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common for all entries. S-1-5-21-3308934242-2785796821-2776977491- is the objectSID for the object in the other domain to whom I want to give permissions. Also the attribute msExchMasterAccountSid is set to the value of object sid. But this part *** (A;CI;CCLCRC;;; *** before the objectsid, differs in some entries. What are all these fields? How can I find out these values programmatically and make a single attribute value which I can then give to the meta directory for setting? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 3:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Yes. But I want to do it using scripting + Meta directory server. The steps I understand until now is that: give appropriate permissions in the security tab to the user in different domain. give appropriate permissions in the Mailbox right. Since my Meta directory server is on HP-UX, I cant employ a _vbscript_ to do this. Can there be other ways? I understand that I would have to set the msexchmailboxsecuritydescriptor attribute. How can I generate a binary value for this using a perl script, so that I can give this value to the meta dir to process and set in the exchange entry. From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Friday, August 12, 2005 12:07 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' Self Trustee Set objACE = CreateObject(AccessControlEntry) objACE.Trustee = Self objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 4:59 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Friday, August 12, 2005 6:32 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack(C, substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack(C, substr($_[0], 1, 1)); my $sid_str = S-1-; $sid_str .= (unpack(C, substr($_[0], 7, 1)) + (unpack(C, substr($_[0], 6, 1)) 8) + (unpack(C, substr($_[0], 5, 1)) 16) + (unpack(C,substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack(C, substr($_[0], 1, 1)) - 1) { $sid_str .= - . unpack(I, substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 7:55 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Thursday, August 11, 2005 3:39 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.com/library/default.asp?url=""> Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh Kshirsagar Sent: Thursday, August 11, 2005 11:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] MailBox permissioning Using a newer version of ldp I could gather the following things: The mailbox users have the following attribute set. usert - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); ZZZFFF - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2372); ZZZGGG - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSDRC;;;S-1-5-21-3308934242-2785796821-2776977491-2368); ZZZJJJ - O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCSD;;;S-1-5-21-3308934242-2785796821-2776977491-2369); O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS) This part was common fo
RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown
Rebuild because the revision required is not set. When building a security descriptor under Windows, you are building an object containing ACE (DACL and SACL). Doing this on Windows is easy as we have the APIs for it (Win32, ADSI, WMI, etc ...) Under Unix by manipulating an SDDL string to construct the security descriptor is an other story as don't have the API to build the MS security descriptor... but I'm pretty sure that your problem comes from the fact that the revision level is not set properly. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 8:15 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown For solving this error, Microsoft says, rebuild security object. What does this imply? And how can I rebuild the security object? Any help, would be beneficial. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 2:36 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi Alain, This error is being returned by the meta directory server. For which I dont have the access to code. At them most I can find the reason and try to eliminate it. I would be just converting the binary SID to text transformation and give it to the Meta directory for settings. Any idea why this would be caused? Regards, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain LissoirSent: Friday, August 12, 2005 12:07 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Have you been checking the script sample I gave in the attached mail? It shows the value required for the revision level. ADS_ACL_REVISION_DS is set to 4. objDACL.AclRevision = ADS_ACL_REVISION_DS ' "Self" Trustee Set objACE = CreateObject("AccessControlEntry") objACE.Trustee = "Self" objACE.AceType = ADS_ACETYPE_ACCESS_ALLOWED objACE.AccessMask = E2K_MB_READ_PERMISSIONS Or _ E2K_MB_FULL_MB_ACCESS Or _ E2K_MB_SEND_AS objACE.AceFlags = ADS_ACEFLAG_INHERIT_ACE objDACL.AddAce objACE Set objACE = Nothing From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 4:59 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning - Error - the revision level is unknown Hi, I tried setting the msexchmailboxsecuritydescriptor attribute. But am facing an error the revision level is unknown. Any known issue you know that might be causing this? Thanks, Mayuresh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Friday, August 12, 2005 6:32 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Hi All, Found a perl function in laman.pm. which converts sid to string: sub SidToString { return undef unless unpack("C", substr($_[0], 0, 1)) == 1; return undef unless length($_[0]) == 8 + 4 * unpack("C", substr($_[0], 1, 1)); my $sid_str = "S-1-"; $sid_str .= (unpack("C", substr($_[0], 7, 1)) + (unpack("C", substr($_[0], 6, 1)) 8) + (unpack("C", substr($_[0], 5, 1)) 16) + (unpack("C",substr($_[0], 4, 1)) 24)); for $loop (0 .. unpack("C", substr($_[0], 1, 1)) - 1) { $sid_str .= "-" . unpack("I", substr($_[0], 4 * $loop + 8, 4)); } return $sid_str; } Hope this will do the job. What all will be required to do the job, setting mailboxsecurity description and masteraccoundsid is enough? Or do I also need something else. Thanks, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mayuresh KshirsagarSent: Thursday, August 11, 2005 7:55 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning Thanks for the pointer. Also does anyone know any perl module which converts the binary sid to test sid? The win32 module wont work because the script will be inoked from HP-UX. Regards, Mayuresh. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 11, 2005 3:39 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] MailBox permissioning O:S-1-5-21-2527121305-4244181741-3459546813-500G:S-1-5-21-2527121305-4244181741-3459546813-500D:(A;CI;CCDCRC;;;PS)(A;CI;CCLCRC;;;S-1-5-21-3308934242-2785796821-2776977491-2370); In the example above, you have a classic output that contains SDDL (Security Descriptor Definition Language) O:sid is the SID of the owner G:sid is the SID of the group D: is a DACL Ill let you look over the rest and determine what you have in your strings.. http://msdn.microsoft.co