RE: [ActiveDir] VBScript Container Security
Thanks Matt - that was the document I referenced in my original question though. I'm trying to achieve the steps via a scripted approach. Thanks to all who have helped so far. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: 17 September 2006 21:05 To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] VBScript Container Security Try starting with this document...one ohe preferred methods is to create the System container and manally assign permissions to it... http://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Joe McNicholas | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 09:53 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] VBScript Container Security | --| I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] VBScript Container Security
Try starting with this document...one ohe preferred methods is to create the System container and manally assign permissions to it... http://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true Matt Duguid Systems Engineer for Identity Services Department of Internal Affairs Phone: +64 4 4748028 (wellington) Mobile: +64 21 1713290 Fax: +64 4 4748894 Address: Level 4, 47 Boulcott Street, Wellington CBD E-mail: [EMAIL PROTECTED] Web: http://www.dia.govt.nz/ |-+-- | | | | | | | | | | | Joe McNicholas | | | [EMAIL PROTECTED]| | | Sent by: | | | [EMAIL PROTECTED]| | | tivedir.org| | | | | | | | | 15/09/2006 09:53 p.m. | | | Please respond to | | | ActiveDir | | | | |-+-- --| | | |To: ActiveDir@mail.activedir.org | |cc: | |Subject: [ActiveDir] VBScript Container Security | --| I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] VBScript Container Security
Title: VBScript Container Security I can't point you at any examples, but most of the documentation I read and from what MSFT people said at conferences, reckons you should grant full control to the group for SMS servers on that container. That's horse sh!t -you need to grant create and delete of each of the MS SMS object types and full control over those object types, and that's it. When I designed a couple of k3 SMS installations last year I used a DLG called SMS Servers and GGs called Primary SMS and Secondary SMS and nested the GGs into the DLG which was granted the permissions. You can then get specific for primary and secondary servers in some cases, or grant all via the DLG. I'm afraid I can't remember the names of the classes, so can't give you the ldapDisplayName's of the object type in question. But they're easy to find, they should be prefixed with mS-SMS or something like that. Note also that the advanced clients search on objectClass instead of objectCategory, so if you haven't already, you need to index objectClass. --Paul - Original Message - From: Joe McNicholas To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:53 AM Subject: [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the "LDAP://cn=System Management,cn=System,dc=mydomain,dc=com" container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
Re: [ActiveDir] VBScript Container Security
Here is a link to a script written in Jscript that may give you some ideas. http://calnetad.berkeley.edu/documentation/scripts/index.html#ousetup This script creates an OU and adds an ACE for delegating rights to the OU. Regards, Arden On 9/15/06, Paul Williams [EMAIL PROTECTED] wrote: I can't point you at any examples, but most of the documentation I read and from what MSFT people said at conferences, reckons you should grant full control to the group for SMS servers on that container. That's horse sh!t -you need to grant create and delete of each of the MS SMS object types and full control over those object types, and that's it. When I designed a couple of k3 SMS installations last year I used a DLG called SMS Servers and GGs called Primary SMS and Secondary SMS and nested the GGs into the DLG which was granted the permissions. You can then get specific for primary and secondary servers in some cases, or grant all via the DLG. I'm afraid I can't remember the names of the classes, so can't give you the ldapDisplayName's of the object type in question. But they're easy to find, they should be prefixed with mS-SMS or something like that. Note also that the advanced clients search on objectClass instead of objectCategory, so if you haven't already, you need to index objectClass. --Paul - Original Message - From: Joe McNicholas To: ActiveDir@mail.activedir.org Sent: Friday, September 15, 2006 10:53 AM Subject: [ActiveDir] _vbscript_ Container Security I'm trying to create and secure the LDAP://cn=System Management,cn=System,dc=mydomain,dc=com container, as required for SMS[1]. I'm able to create the container successfully, but haven't found any examples of how to assign security to an OU or Container in the AD. MS Script Centre and a quick google have come up blank, can anyone point me to any examples? Thanks Joe [1] Ref: https://www.microsoft.com/technet/prodtechnol/sms/smssp2/spsecurity/3df7a6e2-e173-4def-a81a-5bd90fbbf9d8.mspx?mfr=true
