Re: dsHeuristics

---

• From: "Arild Bakken" <arildb_@xxxxxxxxxxx>
• Date: Tue, 6 Jun 2006 12:41:51 +0200

---

Hi,

Yes, it is the 16th character in the attribute (the last 1 in your example).

About those 16 values, as the doc says there are 4 bits:

Account Operators (bit 0 => value 1)
Server Operators (bit 1 => value 2)
Print Operators (bit 2 => value 4)
Backup Operators (bit 3 => value 8)

And with 4 bits you get 16 possible values, just combine the bitwise
representation of the groups and find the appropriate hexadecimal value.

0 = None
1 = Account Operators (AO)
2 = Server Operators (SO)
3 = SO & AO
4 = Print Operators (PO)
5 = PO & AO
6 = PO & SO
7 = PO & SO & AO
8 = Backup Operators (BO)
9 = BO & AO
A = BO & SO
B = BO & SO & AO
C = BO & PO
D = BO & PO & AO
E = BO & PO & SO
F = BO & PO & SO & AO


Arild


"Joe" <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C03F9F74-7904-4F31-83E2-96AAD9A26500@xxxxxxxxxxxxxxxx

I want to use the dsHeuristic flags to control what groups are protected by
the AdminSDHolder in a Windows 2003 Forest. I've reviewed KB 817433 and
don't find it particularly helpful in explaining how this is done.

Specifically the article says:

"After you install the hotfix in Windows 2000 and in Windows Server 2003,
you can set forest-wide dsHeuristic flags to control which operator groups
are protected by AdminSDHolder. Character position 16 is interpreted as a
hexadecimal value, where the left-most character is position 1, so the
only
valid values are "0" through "f". Each of the operator groups has a
specific
bit as follows:

. Bit 0 : Account Operators
. Bit 1 : Server Operators
. Bit 2 : Print Operators
. Bit 3 : Backup Operators

For example, a value of "1" means exclude AccountOperators. A value of 'c'
would mean exclude PrintOperators and Backup Operators.

What I don't understand is this:

If a value of "1" means exclude AccountOperators were is this value of "1"
set in the dsHeuristics string? Is it set at the 16 value in the
dsHeuristics string? Something like this 0000000001000001?

If there are 16 valid values from 0 to f - does anyone have a table of
what
each value represents?

0 = default?
1 = AccountOperators
2 = ServerOperators?
3 =
etc

I'd really appreciate if anyone could help me with this one.

Thanks

Joe

.

---

• Follow-Ups:
  • Re: dsHeuristics
    • From: Joe

• Prev by Date: new member server added to domain
• Next by Date: Re: Global Catalog not installing
• Previous by thread: new member server added to domain
• Next by thread: Re: dsHeuristics
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: dsHeuristics ... it is the 16th character in the attribute. ... Bit 0: Account Operators ... Bit 1: Server Operators ... set in the dsHeuristics string? ... (microsoft.public.windows.server.active_directory) Re: restrict reset of Admin Password ... Server operators and account operators can not reset or otherwise modify ... could also look into AD delegation at the domain or OU level that will allow ... (microsoft.public.win2000.security) built-in abilities ... Backup files and directories ... Share and stop sharing directories ... be a member of Server Operators AND Account Operators. ... (microsoft.public.security) Re: built-in abilities ... > be a member of Server Operators AND Account Operators. ... > - Change the system time ... You already know that each of these privileges can be enabled or disabled as ... (microsoft.public.security) Re: Members of Print Operators Can not log on locally ... the print operators, server operators and account operators groups DID NOT ... > To do so use Group Policy, Use the Default Domain Policy or create a new ... (microsoft.public.win2000.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-06