RE: [ActiveDir] systemFlags
And clobbered again but offline this time by someone else who didn't even offer up a ;-). I feel obligated to say that anyone working around the "officially" correct mechanisms could jeopardize their entire forest. It is sort of like going out into the water 10 minutes after you ate a meatball sub, something bad "could" happen and in fact has happened to someone previously under some particular set of circumstances. It all depends on what things you are doing and how crazy you are getting with it. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 10:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags See, I knew I would get clobbered. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 8:43 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] systemFlags You surprise me ... I thought we'd agreed that we were leaving even the suggestion of such 'back-doors' alone ... bad Joe ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 8:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags [Thu 04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update. It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully... F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005 20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no
RE: [ActiveDir] systemFlags
See, I knew I would get clobbered. :) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean WellsSent: Thursday, April 14, 2005 8:43 PMTo: Send - AD mailing listSubject: RE: [ActiveDir] systemFlags You surprise me ... I thought we'd agreed that we were leaving even the suggestion of such 'back-doors' alone ... bad Joe ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 8:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags [Thu 04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update. It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully... F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005 20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no one else does... If you don't trust the people who are on your DCs, you are in a very very very bad way. Oh yeah, but does that disallow of the delete actually work?? [Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comDeleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -defa
RE: [ActiveDir] systemFlags
You surprise me ... I thought we'd agreed that we were leaving even the suggestion of such 'back-doors' alone ... bad Joe ;-) --Dean WellsMSEtechnology* Email: dwells@msetechnology.comhttp://msetechnology.com From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, April 14, 2005 8:32 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags [Thu 04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update. It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully... F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005 20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no one else does... If you don't trust the people who are on your DCs, you are in a very very very bad way. Oh yeah, but does that disallow of the delete actually work?? [Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comDeleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comDeleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command c
RE: [ActiveDir] systemFlags
[Thu 04/14/2005 20:16:01.31]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully The directory itself is purposely throwing the error. The DSID tells you exactly where in the source the error is being thrown from and looking at the source it is because this attribute is reserved for update. It is however, possible to update, I will not share that mechanism as I may get clobbered for it. You can find the mechanism in public archives though if you look carefully... F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:22:06.03]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:22:52.39]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005 20:23:01.32]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully [Thu 04/14/2005 20:23:29.92]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 Using server: 2k3dc01.joe.comDirectory: Windows Server 2003Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com 1 Objects returned [Thu 04/14/2005 20:23:49.17]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comModifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 20B1: AtrErr: DSID-030F0C06, #1: 0: 20B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:24:02.09]F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can get interactive access on your DC can take over your forest" argument. Just because one person doesn't know how to do it doesn't mean no one else does... If you don't trust the people who are on your DCs, you are in a very very very bad way. Oh yeah, but does that disallow of the delete actually work?? [Thu 04/14/2005 20:29:59.01]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comDeleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The command did not complete successfully [Thu 04/14/2005 20:30:17.96]F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 DN Count: 1Using server: 2k3dc01.joe.comDeleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command completed successfully The answer is yes. Possibly that would be a good joeware for sale item. ;oP joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul MayesSent: Saturday, April 09, 2005 12:21 PMTo: activedir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags Suspend all sanity for a moment. I’m not wandering down the route of trusted and untrusted administr
RE: [ActiveDir] systemFlags
You're just trying to understand it then? Sanity is not my strong point anyway :) To change that, IIRC some can be set directly, while others need to be set on the class etc. Looks like I munged the last post, so http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/ad schema/a_systemflags.asp Enjoy. -ajm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Saturday, April 09, 2005 12:21 PM To: activedir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags Suspend all sanity for a moment. I'm not wandering down the route of trusted and untrusted administrators, that's just how I arrived at this point. Simply I'm just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it's a system attribute and you can't modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you'll screw your AD. Well I'm wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what's getting in my way, the tools, the AD itself. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that'll do it. I've not yet attempted to write code to fiddle, that'll be when I'm bored over the next few days. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 08, 2005 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url="";> <http://msdn.microsoft.com/library/default.asp?url=> List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] systemFlags
Suspend all sanity for a moment. I’m not wandering down the route of trusted and untrusted administrators, that’s just how I arrived at this point. Simply I’m just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it’s a system attribute and you can’t modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you’ll screw your AD. Well I’m wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on …. For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what’s getting in my way, the tools, the AD itself….. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that’ll do it. I’ve not yet attempted to write code to fiddle, that’ll be when I’m bored over the next few days. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al Sent: Friday, April 08, 2005 9:13 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] systemFlags How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url="">
RE: [ActiveDir] systemFlags
Careful Al, Do you really want to spin this discussion up again? The last time this came up I had to create a new.pst just for that thread ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, AlSent: Friday, April 08, 2005 9:13 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] systemFlags How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: Friday, April 08, 2005 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] systemFlags I want to prevent a collection of administrative users from deleting certain objects/containers etc now I could set up some more acl's on these objects or I suppose that I could wander off and buy a product off the shelf to offer that protection. But looking at it some of these products do some simple things within the directory. So I had a quick dig and found that in theory I could modify the systemFlags on an object to protect it from deletion. Like the flags that are sat on the builtin container 1> systemFlags: 0x8C00 = ( FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE ); Ahh but theory and practice become two different things. If you try and edit this attribute then pretty much every utility throws a wobbly. So now I'm curious... possibly a bad thing is there a way to actually modify the attribute?
RE: [ActiveDir] systemFlags
How'd you try to edit it? And why do you let admins have rights if you can't trust them? http://msdn.microsoft.com/library/default.asp?url=""> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYESSent: Friday, April 08, 2005 10:03 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] systemFlags I want to prevent a collection of administrative users from deleting certain objects/containers etc now I could set up some more acl's on these objects or I suppose that I could wander off and buy a product off the shelf to offer that protection. But looking at it some of these products do some simple things within the directory. So I had a quick dig and found that in theory I could modify the systemFlags on an object to protect it from deletion. Like the flags that are sat on the builtin container 1> systemFlags: 0x8C00 = ( FLAG_DISALLOW_DELETE | FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE ); Ahh but theory and practice become two different things. If you try and edit this attribute then pretty much every utility throws a wobbly. So now I'm curious... possibly a bad thing is there a way to actually modify the attribute?
