Re: Win2k - Account Operator not working properly

On the ACL cleanup, unfortunately no, I am aware of nothing that does it in a nice way, the GUI or DSACLS method is about it which means you remove access and then put what you want exactly back. I write tools for MS platforms (www.joeware.net) and a tool that does this is one of the things on the list for "some day".

First off, you have a lot of duplicate ACEs. It looks like they are being applied in a role based manner instead of a resource based manner. Basically you want to have as few ACEs on your AD objects as possible as they ACL has to be enumerated for every search and other object access. This can cause considerable performance degradation. Also, it makes the ACL harder to read.

So with the exception of the built in ACEs (unless you want to tackle the default security descriptor and clean that up too) I would look at every ACE that is the same, for instance Create Child for user and make one ACE with an associated group CreateUsers and then nest the other groups into that group. Since that group will only be used on the DCs of the domain, you can even use domain local groups for it. Ditto for CreateGroup, CreateContact, etc. If you have some permissions that normally go together you could combine them together. Look at all of your delegation and where you intend to go with it. Keep an eye out for max flexibility and minimal ACEs.

Second, users should not be applied directly to ACEs. Period. ACEs should have groups as trustees and users go into groups.

You have delegation for creating OUs. Note that that means you are granting all access rights to that trustee for everything under those OUs. They can create users, groups, contacts, etc; anything they want. I highly recommend not delegating the ability to create OUs or Containers unless it is for a provisioning system that handles all of that work and has a ton of business rules and logging built in.

We need one more DSACLS dump, one for the new user you created. I want to see what specific ACEs are on it.

   joe



--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


thawkz wrote:
Upon further review.....To follow are two COMPLETE dumps (domain names, users and groups have been modified as recommended). First dump is top-level OU and second dump is a child-level OU. I received a "post-too-long" error when I tried to post both dumps, so I will send a follow-up post with the contents of the second dump......

Regading the vbscript/perlscript for removing ACE entires, I am not a vb or perl scripter by trade....are you aware of any alternate methods to remove the duplicate entries? 

TOP LEVEL OU:
===================

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow DOMAIN1\Domain Admins FULL CONTROL
Allow DOMAIN1\testuser1 SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow DOMAIN1\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Account Operators SPECIAL ACCESS for computer
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Account Operators SPECIAL ACCESS for group
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\exadmin SPECIAL ACCESS for user
CREATE CHILD
Allow DOMAIN1\testuser1 SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\Testuser2 SPECIAL ACCESS for user
CREATE CHILD
Allow DOMAIN1\Testuser2 SPECIAL ACCESS for contact
CREATE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for group
CREATE CHILD
DELETE CHILD
Allow BUILTIN\Print Operators SPECIAL ACCESS for printQueue
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\testuser3 SPECIAL ACCESS for contact
CREATE CHILD
Allow DOMAIN1\testuser3 SPECIAL ACCESS for user
CREATE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser4 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Testgroup2 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser7 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser3 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Testuser2 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for Public Information <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for groupType <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for displayName <Inherited from parent>
WRITE PROPERTY

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow DOMAIN1\testuser1 SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow DOMAIN1\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
Allow DOMAIN1\testuser1 SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for user
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for group
CREATE CHILD
DELETE CHILD
Allow DOMAIN1\Testgroup1 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser4 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Testgroup2 SPECIAL ACCESS for computer <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser7 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\testuser3 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Testuser2 SPECIAL ACCESS for organizationalUnit <Inherited from parent>
CREATE CHILD
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for Public Information <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for Personal Information <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for groupType <Inherited from parent>
WRITE PROPERTY
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS for displayName <Inherited from parent>
WRITE PROPERTY

Inherited to group
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to contact
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\testuser3 Reset Password <Inherited from parent>
Allow DOMAIN1\testuser3 Change Password <Inherited from parent>
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow DOMAIN1\Testuser2 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to contact
Allow DOMAIN1\Testuser2 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\Testuser2 Reset Password <Inherited from parent>
Allow DOMAIN1\Testuser2 Change Password <Inherited from parent>
Allow DOMAIN1\Testuser2 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow DOMAIN1\testuser7 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to contact
Allow DOMAIN1\testuser7 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\testuser7 Reset Password <Inherited from parent>
Allow DOMAIN1\testuser7 Change Password <Inherited from parent>
Allow DOMAIN1\testuser7 SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow DOMAIN1\Testgroup3 SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
Allow DOMAIN1\Testgroup3 Change Password <Inherited from parent>
Allow DOMAIN1\Testgroup3 Reset Password <Inherited from parent>
Inherited to group
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow DOMAIN1\Exchange Enterprise Servers SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow DOMAIN1\AD Modify SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
Allow DOMAIN1\Testgroup3 SPECIAL ACCESS for lockoutTime <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN1\Testgroup3 SPECIAL ACCESS for userAccountControl <Inherited from parent>
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN1\testuser8 FULL CONTROL <Inherited from parent>
Allow DOMAIN1\testuser5 SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow DOMAIN1\testuser5 SPECIAL ACCESS for accountExpires <Inherited from parent>
READ PROPERTY
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to contact
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to group
Allow DOMAIN1\testuser3 SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\testuser6 Send As <Inherited from parent>
Inherited to contact
Allow DOMAIN1\testuser6 Send As <Inherited from parent>
Allow DOMAIN1\testuser6 Send As
Inherited to user
Allow DOMAIN1\testuser6 Send As
Inherited to contact
Allow DOMAIN1\testuser3 SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\testuser3 Reset Password
Allow DOMAIN1\testuser3 Change Password
Allow DOMAIN1\testuser3 SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN1\Testgroup1 FULL CONTROL
Inherited to group
Allow DOMAIN1\Testgroup1 FULL CONTROL
Inherited to contact
Allow DOMAIN1\Testuser2 SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to user
Allow DOMAIN1\Testuser2 Reset Password
Allow DOMAIN1\Testuser2 Change Password
Allow DOMAIN1\Testuser2 SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN1\testuser1 FULL CONTROL
Allow DOMAIN1\exadmin Reset Password
Allow DOMAIN1\exadmin Change Password
Allow DOMAIN1\exadmin SPECIAL ACCESS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Allow DOMAIN1\testuser5 SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
The command completed successfully

=====================================================

.

Relevant Pages

  • Unix Programming FAQ (v1.37)
    ... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
    (comp.unix.programmer)
  • Unix Programming FAQ (v1.37)
    ... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
    (comp.unix.programmer)
  • Unix Programming FAQ (v1.37)
    ... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
    (comp.unix.programmer)
  • Unix Programming FAQ (v1.37)
    ... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
    (comp.unix.programmer)
  • Unix Programming FAQ (v1.37)
    ... Why use _exit rather than exit in the child branch of a fork? ... Why doesn't my process get SIGHUP when its parent dies? ... How do I create a named pipe? ... How do I compare strings using regular expressions? ...
    (comp.unix.programmer)