RE: Determining query rights.
From: gordonah (gordonah_at_discussions.microsoft.com)
Date: 12/01/04
- Next message: Steve: "dsadd computer assistance"
- Previous message: Lee Flight: "Re: ADAM: Changing Directory name after install of ADAM"
- In reply to: WS: "Determining query rights."
- Next in thread: WS: "Re: Determining query rights."
- Reply: WS: "Re: Determining query rights."
- Messages sorted by: [ date ] [ thread ]
Date: Wed, 1 Dec 2004 04:29:01 -0800
WS
further to Glenn's answer, you can check the rights an object has over the
domain using the effective rights tool.
If in AD Users and Computers (must be W2K3 version) you right-click on
domain and select Properties, Security, Advanced, Effective Permissions, you
can then choose an object and determine it's permission from the domain
downwards (assuming nothing interferes with standard hierarchial inheritance).
To query objects I think the rights List contents, Read all properties and
Read permissions are required, as per membership of the Pre-W2K compatible
group.
These are quite extensive rights over a whole domain, but can be set for
particular OU structures or object types only.
Gordon
"WS" wrote:
> I've been asked to check that a particular account in AD can query AD
> itself. How can I determine this, and if it cannot query, then how do you
> give it permissions to do so?
>
> Thanks.
>
>
>
>
- Next message: Steve: "dsadd computer assistance"
- Previous message: Lee Flight: "Re: ADAM: Changing Directory name after install of ADAM"
- In reply to: WS: "Determining query rights."
- Next in thread: WS: "Re: Determining query rights."
- Reply: WS: "Re: Determining query rights."
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
