Re: Access Rights to See DACLs in ADAM
- From: Jeffrey Harris <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx>
- Date: Thu, 25 May 2006 10:07:02 -0700
Granting that right resolved the issue. Thanks, Dmitri and Lee.
Dmitri, I am not sure where in the Microsoft organization you are, but can
you submit a bug report for the "Access Security Security" right in ADAM, and
maybe someone will fix it some day?
Lee,
The "Manage Auditing and Security Log" right is described here:
http://technet2.microsoft.com/WindowsServer/en/Library/4e1fa44d-d283-4709-a8ef-460b3611f4031033.mspx?mfr=true
Thanks again.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
"Lee Flight" wrote:
.
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:u71GViBgGHA.4932@xxxxxxxxxxxxxxxxxxxxxxx
Granting access in ADAM DACL does not work (I never figured out why,
sorry).
MSDN says:
"The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because
DACLs do not control access to a SACL. However, you can use the
ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use the
access right."
which is does not really answer the why
Your user must have this privilege. Admins (members of
builtin\administrators) have it by default. To grant it to another user,
you should edit local security policy (user rights assignments) using
gpedit.msc.
and the policy name in the UI is "Manage auditing and security log",
I can never remember which Se privs those translate to.
Lee Flight
--
Dmitri Gavrilov
SDE, DS Admin eXperience
This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:66812A6B-B122-49F3-9258-9F73032E43BB@xxxxxxxxxxxxxxxx
Lee,
When I turned off the SACL option in LDP, I AM able to access the DACL
using
either the service or ADAM specific administrator (a Windows account set
up
as an ADAM administrator but with no Windows Admin privileges). However,
I
cannot access either one if the SACL option is turned on, and the Windows
account is not a local administrator account.
Can you confirm that a local administrator account is required to access
the
SACL, and not just any Windows user account? I have tried turning on the
Access System Security privilege in ADAM, and that just does not work.
Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
"Lee Flight" wrote:
Hi
the problem with Access_Sys_Sec is what I was trying to explain
with regard to SACL. Are you saying that:
with the Windows account in the configuration Admin role
if you request a security descriptor with the SACL box unchecked
you do not get the DACL in the security editor UI?
Thanks
Lee Flight
"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:17BB3B50-44B2-4196-B2C2-E26EC6A9C2D7@xxxxxxxxxxxxxxxx
As to your questions below, I am using LDP to access the security
descriptors, and even though the ADAM service account has been added
to
the
Administrators group in the configuration partition, I still see audit
failures relating to Read_Control and Access_Sys_Sec in the security
log.
- Follow-Ups:
- Re: Access Rights to See DACLs in ADAM
- From: Dmitri Gavrilov [MSFT]
- Re: Access Rights to See DACLs in ADAM
- References:
- Re: Access Rights to See DACLs in ADAM
- From: Lee Flight
- Re: Access Rights to See DACLs in ADAM
- From: Jeffrey Harris
- Re: Access Rights to See DACLs in ADAM
- From: Lee Flight
- Re: Access Rights to See DACLs in ADAM
- From: Dmitri Gavrilov [MSFT]
- Re: Access Rights to See DACLs in ADAM
- From: Lee Flight
- Re: Access Rights to See DACLs in ADAM
- Prev by Date: Re: ADMT Migration Across WAN
- Next by Date: Re: Export all users / Import Diff Domain
- Previous by thread: Re: Access Rights to See DACLs in ADAM
- Next by thread: Re: Access Rights to See DACLs in ADAM
- Index(es):
Relevant Pages
|
