Re: Access Rights to See DACLs in ADAM

I can submit the bug, and I may even fix it :)
What specifically you want to be bugged? The checkbox in ACE editor in ldp
for ACCESS_SYSTEM_SECURITY should be removed?
Please email me directly, drop online dot.

--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:0A3BFEFF-35C8-4A33-A343-93E852F24C46@xxxxxxxxxxxxxxxx
Granting that right resolved the issue. Thanks, Dmitri and Lee.

Dmitri, I am not sure where in the Microsoft organization you are, but can
you submit a bug report for the "Access Security Security" right in ADAM,
and
maybe someone will fix it some day?

Lee,

The "Manage Auditing and Security Log" right is described here:
http://technet2.microsoft.com/WindowsServer/en/Library/4e1fa44d-d283-4709-a8ef-460b3611f4031033.mspx?mfr=true

Thanks again.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


"Lee Flight" wrote:


"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:u71GViBgGHA.4932@xxxxxxxxxxxxxxxxxxxxxxx
Granting access in ADAM DACL does not work (I never figured out why,
sorry).

MSDN says:

"The ACCESS_SYSTEM_SECURITY access right is not valid in a DACL because
DACLs do not control access to a SACL. However, you can use the
ACCESS_SYSTEM_SECURITY access right in a SACL to audit attempts to use
the
access right."

which is does not really answer the why

Your user must have this privilege. Admins (members of
builtin\administrators) have it by default. To grant it to another
user,
you should edit local security policy (user rights assignments) using
gpedit.msc.

and the policy name in the UI is "Manage auditing and security log",
I can never remember which Se privs those translate to.

Lee Flight



--
Dmitri Gavrilov
SDE, DS Admin eXperience

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:66812A6B-B122-49F3-9258-9F73032E43BB@xxxxxxxxxxxxxxxx
Lee,

When I turned off the SACL option in LDP, I AM able to access the DACL
using
either the service or ADAM specific administrator (a Windows account
set
up
as an ADAM administrator but with no Windows Admin privileges).
However,
I
cannot access either one if the SACL option is turned on, and the
Windows
account is not a local administrator account.

Can you confirm that a local administrator account is required to
access
the
SACL, and not just any Windows user account? I have tried turning on
the
Access System Security privilege in ADAM, and that just does not work.

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


"Lee Flight" wrote:

Hi

the problem with Access_Sys_Sec is what I was trying to explain
with regard to SACL. Are you saying that:

with the Windows account in the configuration Admin role
if you request a security descriptor with the SACL box unchecked
you do not get the DACL in the security editor UI?

Thanks
Lee Flight


"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in
message
news:17BB3B50-44B2-4196-B2C2-E26EC6A9C2D7@xxxxxxxxxxxxxxxx

As to your questions below, I am using LDP to access the security
descriptors, and even though the ADAM service account has been
added
to
the
Administrators group in the configuration partition, I still see
audit
failures relating to Read_Control and Access_Sys_Sec in the
security
log.










.

Relevant Pages

  • RE: [in] Re: [Full-Disclosure] IE is just as safe as FireFox
    ... The first account created on Windows is Administrator, ... and even it had poor initial security when it was really tested. ... doesn't require admin either). ...
    (Full-Disclosure)
  • Re: Need help closing security holes in my Windows XP home system!
    ... >>stop using the win xp user account with admin, ... >>windows as the admin, ... then you really don't understand security for the ...
    (comp.security.firewalls)
  • Re: Home Networking/Firewall problem
    ... security design flaws. ... which open windows. ... Sebastian calles this an "attack vector", ... Add an extra user account. ...
    (comp.security.firewalls)
  • Re: what is reset account?
    ... No I don't think that policy value was available in Windows 2000. ... I believe the policy was added in K3, but the reg value works in 2K as well as NT. ... windows 2000 server security options. ... deployed based on computer account. ...
    (microsoft.public.win2000.active_directory)
  • Re: Logon with disabled admin account possible!
    ... Microsoft MVP (Windows Server System: Security) ... > disable the built in administrator account. ... >> possible to disable the built-in admin account - you could rename ...
    (microsoft.public.windows.server.security)