Re: Controlling object visibility

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 16 Jun 2005 13:08:38 -0700

Ah. Pre-w2k group. It has AU as a member.
You don't see it in your token because it is a builtin group, and as such is
only present in your DC-side security context/token (which is the token used
for your AD access checks).

If you'd logon to the DC and run whoami there, you'd see this sid.

So, it seems you figured out the problem. BTW, I would avoid the deny ace,
but I'd rather block inheritance at Division level. Another option is to
empty the pre-w2k group, but this is dangerous in terms of app compat.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"NickvW" <me@xxxxxxxxxxx> wrote in message
news:ezcgF5kcFHA.1456@xxxxxxxxxxxxxxxxxxxxxxx
> Dmitri Gavrilov [MSFT] wrote:
>> I cannot repro.
>> What's the DACL on the AdminsOU? Dump it with DSACLS and post here.
>>
> Here's the DACL for ou=admins,ou=division,dc=example,dc=com.
>
> I have generalised this for Authenticated Users.
>
> Note I removed the explicit read permission for Authenticated Users.
>
> Note the inherited Deny BUILTIN\Pre-Windows 2000 Compatible Access
> SPECIAL ACCESS (List Contents) that I added explicitly on
> ou=division,dc=example,dc=com.
>
> The mystery for me is why you have to add this Deny. How is user1 a
> member of Pre-Windows 2000 Compatible Access? This doesn't show up when
> you logon as user1 and do a whoami /groups.
>
>
> Access list:
> Effective Permissions on this object are:
> Allow EXAMPLE\Domain Admins FULL CONTROL
> Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS
> READ PERMISSONS
> LIST CONTENTS
> READ PROPERTY
> LIST OBJECT
> Allow NT AUTHORITY\SYSTEM FULL CONTROL
> Deny BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> LIST CONTENTS
> Allow BUILTIN\Administrators SPECIAL ACCESS
> <Inherited from parent>
> DELETE
> READ PERMISSONS
> WRITE PERMISSIONS
> CHANGE OWNERSHIP
> CREATE CHILD
> LIST CONTENTS
> WRITE SELF
> WRITE PROPERTY
> READ PROPERTY
> LIST OBJECT
> CONTROL ACCESS
> Allow EXAMPLE\Enterprise Admins FULL CONTROL <Inherited
> from parent>
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> LIST CONTENTS
> Allow BUILTIN\Account Operators SPECIAL ACCESS for
> computer
> CREATE CHILD
> DELETE CHILD
> Allow BUILTIN\Account Operators SPECIAL ACCESS for user
> CREATE CHILD
> DELETE CHILD
> Allow BUILTIN\Account Operators SPECIAL ACCESS for group
> CREATE CHILD
> DELETE CHILD
> Allow BUILTIN\Account Operators SPECIAL ACCESS for
> inetOrgPerson
> CREATE CHILD
> DELETE CHILD
> Allow BUILTIN\Print Operators SPECIAL ACCESS for
> printQueue
> CREATE CHILD
> DELETE CHILD
>
> Permissions inherited to subobjects are:
> Inherited to all subobjects
> Deny BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> LIST CONTENTS
> Allow BUILTIN\Administrators SPECIAL ACCESS
> <Inherited from parent>
> DELETE
> READ PERMISSONS
> WRITE PERMISSIONS
> CHANGE OWNERSHIP
> CREATE CHILD
> LIST CONTENTS
> WRITE SELF
> WRITE PROPERTY
> READ PROPERTY
> LIST OBJECT
> CONTROL ACCESS
> Allow EXAMPLE\Enterprise Admins FULL CONTROL <Inherited
> from parent>
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> LIST CONTENTS
>
> Inherited to computer
> Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
> tokenGroups <Inherited from parent>
> READ PROPERTY
> Inherited to group
> Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
> tokenGroups <Inherited from parent>
> READ PROPERTY
> Inherited to user
> Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for
> tokenGroups <Inherited from parent>
> READ PROPERTY
> Inherited to inetOrgPerson
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> READ PERMISSONS
> LIST CONTENTS
> READ PROPERTY
> LIST OBJECT
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
> Information <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> Account Restrictions <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
> Membership <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> General Information <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> Remote Access Information <Inherited from parent>
> READ PROPERTY
> Inherited to user
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> READ PERMISSONS
> LIST CONTENTS
> READ PROPERTY
> LIST OBJECT
> Inherited to group
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS
> <Inherited from parent>
> READ PERMISSONS
> LIST CONTENTS
> READ PROPERTY
> LIST OBJECT
> Inherited to user
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon
> Information <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> Account Restrictions <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group
> Membership <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> General Information <Inherited from parent>
> READ PROPERTY
> Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for
> Remote Access Information <Inherited from parent>
> READ PROPERTY
> The command completed successfully

.

Follow-Ups:
- Re: Controlling object visibility
  - From: NickvW

References:
- Controlling object visibility
  - From: NickvW
- Re: Controlling object visibility
  - From: Dmitri Gavrilov [MSFT]
- Re: Controlling object visibility
  - From: NickvW
- Re: Controlling object visibility
  - From: Dmitri Gavrilov [MSFT]
- Re: Controlling object visibility
  - From: NickvW

Prev by Date: Re: Azman: AzAuthorizationStoreClass.Initialize
Next by Date: Windows 2000 DC's bringing in 2003 DC's
Previous by thread: Re: Controlling object visibility
Next by thread: Re: Controlling object visibility
Index(es):
- Date
- Thread

Relevant Pages

Re: trouble with delegating unlock rights
... > Effective Permissions on this object are: ... > CONTROL ... > <Inherited from parent> ... inheritance enabled ...
(microsoft.public.win2000.active_directory)
Re: instance attributes not inherited?
... >> Nothing's wrong with python's oop inheritance, ... >> class Child(Parent): ... >the class name be enough for super() to find the right superclass object? ... a bound method has the first argument bound in, and when you call the bound method ...
(comp.lang.python)
Re: Refactoring Tycho API - Opinions wanted
... the "flip parent and child" is a useful op. ... > inheritance, but contained in a parent-child relationship. ... > store each child item (a reference to a sub-topic or note, ...
(comp.lang.ruby)
Re: Sharing instances of objects between packages
... > packages when the child packages have their own object ... Is there a way to inherit the parent object? ... The House "is a" Building. ... Inheritance is basically about inheriting those metohds. ...
(perl.beginners)
Re: do allowed perrmisions override denyed permissions?
... with only grant permissions. ... We have always had sym diff (grant to A, deny to B where ... | Explicit Grant ACEs for Object | ... to sort that out is with hierarchical precedence of the inheritance ...
(microsoft.public.windows.server.security)