Yes, exactly as joe wrote, this was a terminology thing.
In my language, the base schema includes all the classes and attributes that
ship with the OS, and in ~Eric's language, the base schema includes only those
that are specifically marked as Category 1 (to have several protections). And
I think it is a terminology thing. I would guess that Sakari is considering
anything shipped in the base product is considered base schema. Of course
your definition should match perfectly because the underlying code should be
that it tests that flag and if it matches it won't allow the update.
Hi Brett and ~Eric,
Thanks for your comments on my confidential attribute post. Now I solved, how
to set the confidentiality in a way where unnecessary permissions are not
granted.
Brett wrote:
A) Small note, 0xF is 15 decimal and is equivalent to
4 bits set (0b)
Thanks for catching
~Eric wrote:
We actually block all base schema elements if I remember correctly.
No you don't. Of the 1070 base schema attributes, you only block the
1007
ones that are marked as category 1. The remaining 63 attributes, such
as
msDS-ExternalKey, are not marked and therefore don't have this
For clarity, this is the flag I'm making reference to:
1 systemFlags: 0x10 = ( FLAG_SCHEMA_BASE_OBJECT );
If that is set on a schema element, my contention is that on an SP1 DC
it should not allow you to set the confidential bit.
Show me a counterexample please.
~Eric
-Original
About confidential attributes in SP1:
When you set an attribute to be confidential, mere read permission is no longer
enough for you to see the attribute value.
HOW TO ENABLE
- Select the attribute to be set as confidential. Category 1 attributes are not
possible to select, which rules most
First off I don't really know security, so I'm like 43% confident in the
accuracy of what I'm about to say ...
Two things:
A) Small note, 0xF is 15 decimal and is equivalent to 4 bits set (0b),
you either meant 0x10 (16 decimal) or 0x8 (8 decimal) probably. Really
you should understand
Sadly, a misstep on the part of our friendly garage door operator.
use the ldp.exe from the %windir%\ADAM directory
The LDP required for this is the LDP in R2's ADAM, not in the currently
shipping one. Sorry.
We can send this to you if you need it now, or just fetch it out of the
R2 beta
