Re: OU Acling
- From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 7 Jul 2005 12:04:33 -0700
Something else to look out for. You can delete an object if you get either
one of these permissions:
DELETE on the object itself
or
DELETE_CHILD on the parent
So, even if you deny delete, but still allow to delete_child, then you'll be
able to delete still.
BTW, denying admins anything is sort of pointless. It might prevent
accidental deletion, but if they want to do something, they'll grant
themselves the right, and do it anyway.
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx> wrote in message
news:1120742036.517297@xxxxxxxxxxxxxxxxxxxxxx
>> shouldnt Deny over ride all permissions no matter what it is?
>
> Not necessarily. The order is as follows:
>
> -- explicit deny
> -- explicit allow
> -- inherited deny
> -- inherited allow.
>
>
> Also, does the EA or the administrators group own the container in
> question?
>
> --
> Paul Williams
> Microsoft MVP - Windows Server - Directory Services
> http://www.msresource.net | http://forums.msresource.net
>
>
.
- Follow-Ups:
- Re: OU Acling
- From: Jason
- Re: OU Acling
- References:
- OU Acling
- From: Jason
- Re: OU Acling
- From: Paul Williams [MVP]
- Re: OU Acling
- From: Jason
- Re: OU Acling
- From: Paul Williams [MVP]
- OU Acling
- Prev by Date: Authentication Issues?
- Next by Date: Re: Automatic Log Off When User Is Idle For more than 15mins
- Previous by thread: Re: OU Acling
- Next by thread: Re: OU Acling
- Index(es):
Relevant Pages
|
