Re: Access Rights to See DACLs in ADAM

Granting access in ADAM DACL does not work (I never figured out why, sorry).
Your user must have this privilege. Admins (members of
builtin\administrators) have it by default. To grant it to another user, you
should edit local security policy (user rights assignments) using
gpedit.msc.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:66812A6B-B122-49F3-9258-9F73032E43BB@xxxxxxxxxxxxxxxx
Lee,

When I turned off the SACL option in LDP, I AM able to access the DACL
using
either the service or ADAM specific administrator (a Windows account set
up
as an ADAM administrator but with no Windows Admin privileges). However,
I
cannot access either one if the SACL option is turned on, and the Windows
account is not a local administrator account.

Can you confirm that a local administrator account is required to access
the
SACL, and not just any Windows user account? I have tried turning on the
Access System Security privilege in ADAM, and that just does not work.

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


"Lee Flight" wrote:

Hi

the problem with Access_Sys_Sec is what I was trying to explain
with regard to SACL. Are you saying that:

with the Windows account in the configuration Admin role
if you request a security descriptor with the SACL box unchecked
you do not get the DACL in the security editor UI?

Thanks
Lee Flight


"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:17BB3B50-44B2-4196-B2C2-E26EC6A9C2D7@xxxxxxxxxxxxxxxx

As to your questions below, I am using LDP to access the security
descriptors, and even though the ADAM service account has been added to
the
Administrators group in the configuration partition, I still see audit
failures relating to Read_Control and Access_Sys_Sec in the security
log.





.

Relevant Pages

  • Re: Need help closing security holes in my Windows XP home system!
    ... >>stop using the win xp user account with admin, ... >>windows as the admin, ... then you really don't understand security for the ...
    (comp.security.firewalls)
  • RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
    ... The first account created on Windows is Administrator, ... and even it had poor initial security when it was really tested. ... doesn't require admin either). ...
    (Full-Disclosure)
  • Re: ADAM and Windows Address Book
    ... Since I need a Windows login, the simple bind is of little interest. ... domain account. ... authentication can take place because ADAM does not authenticate accounts ... Checking SSL results in an LDAP simple bind over SSL. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Validation of XP
    ... except to mention that UAC caused me to reboot to WinXP ... there shouldn't be any reason you need to run as admin to play a game. ... Windows doesn't do this or that natively, and one of those things is ... As for the default admin account, ...
    (microsoft.public.windowsxp.general)
  • Re: ADAM and Windows Address Book
    ... Since I need a Windows login, the simple bind is of little interest. ... If I want a Windows login to ADAM from Address Book, ... a domain account. ... If the only credentials WAB can offer ...
    (microsoft.public.windows.server.active_directory)