Re: Access Rights to See DACLs in ADAM

Hi

you cannot really sandbox ADAM from Windows admins
as they have control over the service account, can take ownership,
restore an instance etc,. Also best practice is to keep ADAM
service account and ADAM Admin account separate, see
guidelines on account selection in ADAM help file.

On security descriptors how are you trying to read them?
Adding a windows user to the ADAM Admin role should
allow you to see DACLs. If you are using code then SD is not returned
by default you need to request it using SERVER_SD_FLAGS_OID
control, if you ldp SD editor UI you should be OK. Using code
or ldp.exe if you request SACL info then the account you are using
needs Access System Security priv else it will fail.

Lee Flight


"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:EA27966A-2948-47EB-B57A-D50CBFA5D042@xxxxxxxxxxxxxxxx
We have set up ADAM SP1 on a W2K3 server.

For security reasons, the local and domain administrators are not allowed
to
access the ADAM instance; only the ADAM service account and designated
ADAM
accounts have the administrator access rights.

When creating the ADAM instance, I configured the service account as the
ADAM administrator. Although the service account has full access, it
cannot
see the DACLs and and SACLs, and owner and group information. Apparently,
read access to these is tied inheritantly to the local administrators
group,
even if that group has no rights in ADAM. With no rights, the local
administrator cannot access that information either. However, If I add
the
local administrator account to the Administrators group, and then log into
ldp as the local administrator, I can see all the DACLs and SACLs.
However,
no matter what I have tried (short of adding the ADAM service account to
the
local administrators group, which we do not want to do, and which I have
not
tried), there appears to be no way to grant the ADAM service account
access
to view the DACLs and SACLs.

Is there a way to grant a given account the ability to see these?

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


.

Relevant Pages

  • Re: Change ADAM Service A/c Password
    ... the service account controls the system side of ADAM operations, ... it is the account that runs the ADAM instance as a process and to some ... instance with an Administrator account? ...
    (microsoft.public.windows.server.active_directory)
  • Re: Issue while setting user password in ADAM using JAVA
    ... Secondly I followed few more links and tried to configure ADAM for ... If ADAM is running under a local service account, ... has sufficient rights to update the serviceConnectionPoint object. ... ServiceConnectionPoint object publication can be disabled for this ...
    (microsoft.public.windows.server.active_directory)
  • Re: Change ADAM Service A/c Password
    ... the service account controls the system side of ADAM operations, ... it is the account that runs the ADAM instance as a process and to some ... services.msc and update ADAM Instance and then password. ... This ADAM Instance user is a member of Built-In Administrator group. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Azman: AzAuthorizationStoreClass.Initialize
    ... you might try enabling Audit Privilege Use in the security policy on the ... > ADAM on the WinServer 2003 box. ... > I had a service account created and we are doing an impersonation. ... > I added the service account to the readers role and the administrator role ...
    (microsoft.public.windows.server.active_directory)
  • Re: Access Rights to See DACLs in ADAM
    ... I understand we cannot totally sandbox ADAM from the local system ... but we want to make it necessary for a local administrator to ... Administrators group in the configuration partition, ... the same problem with that account as the service account. ...
    (microsoft.public.windows.server.active_directory)