Re: Access Rights to See DACLs in ADAM
- From: Jeffrey Harris <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 06:56:01 -0700
I understand we cannot totally sandbox ADAM from the local system
administrators, but we want to make it necessary for a local administrator to
go through all those steps.
As to your questions below, I am using LDP to access the security
descriptors, and even though the ADAM service account has been added to the
Administrators group in the configuration partition, I still see audit
failures relating to Read_Control and Access_Sys_Sec in the security log.
This is true even though I just had to reinstall one of the replicas on the
server, and explicitly named the local administrators group (as a test) as
the ADAM administrators during the creation process.
I even tried creating a separate Windows ADAM administrator account, and had
the same problem with that account as the service account.
Why is ADAM not acknowledging that these Windows accounts are part of the
Administrators role, and granting them access to the security descriptors?
That seems to be the basic problem, although they are treated as
administrators for other purposes, such as viewing and updating directory
objects.
Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
"Lee Flight" wrote:
Hi.
you cannot really sandbox ADAM from Windows admins
as they have control over the service account, can take ownership,
restore an instance etc,. Also best practice is to keep ADAM
service account and ADAM Admin account separate, see
guidelines on account selection in ADAM help file.
On security descriptors how are you trying to read them?
Adding a windows user to the ADAM Admin role should
allow you to see DACLs. If you are using code then SD is not returned
by default you need to request it using SERVER_SD_FLAGS_OID
control, if you ldp SD editor UI you should be OK. Using code
or ldp.exe if you request SACL info then the account you are using
needs Access System Security priv else it will fail.
Lee Flight
"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:EA27966A-2948-47EB-B57A-D50CBFA5D042@xxxxxxxxxxxxxxxx
We have set up ADAM SP1 on a W2K3 server.
For security reasons, the local and domain administrators are not allowed
to
access the ADAM instance; only the ADAM service account and designated
ADAM
accounts have the administrator access rights.
When creating the ADAM instance, I configured the service account as the
ADAM administrator. Although the service account has full access, it
cannot
see the DACLs and and SACLs, and owner and group information. Apparently,
read access to these is tied inheritantly to the local administrators
group,
even if that group has no rights in ADAM. With no rights, the local
administrator cannot access that information either. However, If I add
the
local administrator account to the Administrators group, and then log into
ldp as the local administrator, I can see all the DACLs and SACLs.
However,
no matter what I have tried (short of adding the ADAM service account to
the
local administrators group, which we do not want to do, and which I have
not
tried), there appears to be no way to grant the ADAM service account
access
to view the DACLs and SACLs.
Is there a way to grant a given account the ability to see these?
Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
- Follow-Ups:
- Re: Access Rights to See DACLs in ADAM
- From: Lee Flight
- Re: Access Rights to See DACLs in ADAM
- References:
- Re: Access Rights to See DACLs in ADAM
- From: Lee Flight
- Re: Access Rights to See DACLs in ADAM
- Prev by Date: Re: AD over VPN with two subnets
- Next by Date: Re: Access Rights to See DACLs in ADAM
- Previous by thread: Re: Access Rights to See DACLs in ADAM
- Next by thread: Re: Access Rights to See DACLs in ADAM
- Index(es):
Relevant Pages
|
