All Active Directory based IPSec policies are stored as ipsecPolicy
objects in CN=IP Security,CN=System,DC=. If you decide to assign
one of these policies to the GPO, a link is created and stored within
the GPO as the ipsecOwnersReference attribute of the ipsecPolicy object
in CN=IPSEC,CN=Windows,C
Any ideas on how to control access to data based on network
technology that is used to access AD. I.e. if the user is on the LAN versus
when she is accessing the directory via VPN/dial-up or Web. She should have different
level/authority to view and modify data stored in the AD when being a
same applications? Information
like
that would be useful here.
Al
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mika Seitsonen
Sent: Monday, November 22, 2004 2:51 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Controlling access to AD based on the
I haven't found too many comments discussing the use of list
object mode in production environments. Anybody care to share their experiences
when enabling the list object mode. Has it affected applications running on top
of AD such as Exchange & SMS?
Thanks in advance
Mika
Why? Wouldn't some kind of
"directory traversal" permission be necessary? Or can search "skip"
some levels?
Mika
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mika
Seitsonen
Sent: 16. joulukuuta 2004 0:53
To: [EMAIL PROTECTED]
Subject: RE: [
ool - if there's a business case (i.e. need to
restrict what people can see in AD), then it makes sense, otherwise it doesn't.
/Guido
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Mika Seitsonen
Sent: Sunday, December 12, 2004
6:16 PM
To: [EMAIL PROTECTED]
Subject:
In addition to Joe's and Darren's suggestions, you could just check
security logs. By default (in WS03, I don't have a W2k environment
running at the moment), there are two ACEs (inheritable to OUs) in the
SACL for the domain object:
Ace[0]
Ace Type: 0x7 - SYSTEM_AUDIT_OBJ
