Re: Export schema
From: Danny Cooper (danny.cooper_at_bbc.co.uk)
Date: 12/14/04
- Next message: Lajus Norvejikus: "RE: PDC Replacement"
- Previous message: deKay: "GPs not applied to Mandatory Profiles"
- In reply to: Lee Flight: "Re: Export schema"
- Next in thread: Danny Cooper: "Re: Export schema"
- Reply: Danny Cooper: "Re: Export schema"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 14 Dec 2004 15:25:38 +0000
Thanks for the further help.
The link given does offer some valuable background (and this area of
schema extensions seems to be pretty much completely undocumented to
me), but examples are via programming (which hides much of what is
really going on). I'm trying to do this from an LDIF file.
Following examples and the like, specifying an attributeSecurityGuid
with the attribute I want to set default security on, and then trying
to set the security from a defaultSecurity Descriptor line in the
class definition (which is referring to the attribute security GUID in
the SDDL string) gets me the class having something like the security
I'm trying to set, not the attribute. And then I can't figure out the
following:
- how to get it to not change the security on the class, when the SDDL
string is referring to an attribute
- how to turn off parent security inheritance (or is this what the P
in D:P(... does, which I've seen in Microsoft LDUF files but can't see
documented anywhere
- how to use the directory permission settings listed to control a
single property, rather than all properties as they claim in documents
- understand why nTSecurityDescriptor doesn't show me any of the
changes I make that I can see in the Schema MMC snap-in - even when
I'm adding new ACEs - but instantiating a new object does get the new
ACE applied
Thanks for all your help but I think I'm going to have to give up on
this until it gets better documented.
Danny.
On Fri, 10 Dec 2004 20:07:04 -0000, "Lee Flight" <lef@le.ac.uk-nospam>
wrote:
>Inline below....
>
>"Danny Cooper" <danny.cooper@bbc.co.uk> wrote in message
>news:00djr09u7bsuu9nleqq3alk728c4ee42d5@4ax.com...
>
>> What I want to do is have a different default security on an attribute
>> of a class than the class itself. As far as I can tell the Schema MMC
>> snap-in only allows setting default security on classes, not
>> attributes. If I use ADSI Edit then although I can see a Security tab
>> on both classes and attributes, making changes here (for a class) does
>> not get picked up by the Schema MMC snap-in. What is ADSI Edit
>> setting, and how can I set a new and different default security on an
>> attribute?
>
>The security UI in ADSIedit is showing you the nTSecurityDescriptor
>on the attributeSchema and classSchema objects themselves, basically
>it's the security of the schema objects (mainly inherited from the schema
>partition head and the defaultSecurityDescriptor of the attributeSchema
>and classSchema object structural classes).
>
>> Is the security set from the class? I can't see how else you'd do it
>> without enforcing the new default security on the attribute no matter
>> what classes it is in.
>
>As you say attributes can be used by many classes this provides a lot of
>flexibility and saves redundancy. The security of the attributeSchema
>objects in the Schema partition is as above, the security of attributes on
>instantiation is from the AD security model using object based ACEs.
>The "security at the attribute level" that you get with AD is through
>ACEs on the object that control (extensible) access to properties
>(attributes) or property sets that you can group attributes into.
>
>See:
>
>http://msdn.microsoft.com/library/en-us/ad/ad/controlling_access_to_active_directory_objects.asp
>
>HTH
>
>Lee Flight
>
- Next message: Lajus Norvejikus: "RE: PDC Replacement"
- Previous message: deKay: "GPs not applied to Mandatory Profiles"
- In reply to: Lee Flight: "Re: Export schema"
- Next in thread: Danny Cooper: "Re: Export schema"
- Reply: Danny Cooper: "Re: Export schema"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
