Re: AD Schema extension and ACLing

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Glad you had access to those resources. That should help a lot. My guess
is that you will very soon know more about this than almost anyone else on
this group and you will be responsible for answering similar questions from
now on. :)

Regarding the GUI weirdness, I have no idea. I'm going to guess that ADUC
(and maybe ADSI Edit and other tools that use similar ACL editors; possibly
shared code here) do some queries into the schema and extended rights data
in order to build a cache of the friendly names of all of the various
objects, as the ACEs themselves only contain a bunch of opaque GUIDs. It is
likely the case that this cache is populated once in memory for the
execution lifetime of the process. That's a wild guess though. I think you
found the workaround.

Best of luck and please do report back on your findings. I'm dead serious
about the first paragraph.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Brad Turner [MIIS MVP]" <bradturner32@xxxxxxxxx> wrote in message
news:1158170478.616293.262190@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
THANKS! Yes, I was at DEC 2006, but I was in the MIIS track so I
missed all of the AD sessions. I just finished going through Guido's
presentation and that combined with my re-read of the MSDN docs this
morning really clarified things!

Incidentally, my first attempt today was creating two CARs (one Read X
and one Write X but with validAccesses set to 16 and 32 respectively
instead of 48 as recommended) - in the Advanced Security Permissions
view list it rendered it as:

Read Read X
Write Read X
Read Write X
Write Write X

So, it appears as if the GUI is anticipating the 48 (R/W) whether you
specified it or not; however I did not test setting the missing rights
to see if they took or not (probably just a GUI quirk).

The other oddity I verified this morning explains much of the
frustration I experienced yesterday - after making changes to the
Schema or the CAR, the changes would not appear in the Adv Sec Perm
list until I recycled the MMC console (LDP probably doesn't suffer from
this problem) implying there is a cache somewhere that is not getting
refreshed (even though I Refreshed the view, applied the schema
updates, and Refreshed the Schema Cache repeatedly) OR this list is
built the first time its used within MMC and not subsequently.
Furthermore, my test Aux class, which was showing up in the "Apply
onto" list still shows up even after I've set the object to defunct.
Any ideas why this is happening; recycling the MMC or logging off/on
didn't help here!

I really like the information Guido provided on the confidentiallity
bit - I'll certainly use that here, but I think I'll still need the
Property Sets. I've changed them now to both validAccesses=48 and
changed the displayNames to reflect Public vs Private. That answers my
questions about how the CARs are interpreted in the list.

Now I'm still experimenting with the correct combination of aux classes
and attributes, so back to testing. Thanks a ton for bearing with me
and see you at the next DEC!

Brad Turner, MIIS MVP



.

Relevant Pages

  • Re: AD Schema extension and ACLing
    ... I see my two new property sets courtesy of the new CARs. ... shared code here) do some queries into the schema and extended rights data ... in order to build a cache of the friendly names of all of the various ...
    (microsoft.public.windows.server.active_directory)
  • Re: MMC Snap-ins
    ... After that the Active Directory Schema is available for selection via mmc snapin. ... From the features install the "Remote server administration tools". ...
    (microsoft.public.windows.server.general)
  • Re: Enable additional users properties in Active Directory users and Computers
    ... The Schema Manager MMC snap-in allows for schema modifications through a ... This will tell you how to add the MMC etc. ... >>> When I looked at the users properties in Schema ...
    (microsoft.public.windows.server.general)
  • Re: Enable additional users properties in Active Directory users and Computers
    ... The Schema Manager MMC snap-in allows for schema modifications through a ... This will tell you how to add the MMC etc. ... >>> When I looked at the users properties in Schema ...
    (microsoft.public.windows.server.active_directory)
  • Re: trying to run adprep off of sbs 2003 service pack 1
    ... >You must first enable the "The Schema may be modified on this Domain ... > schema before using ldifde to change the schema. ... So does this mean the problem is with the MMC and not the actual schema? ... > Microsoft Online Partner Support ...
    (microsoft.public.windows.server.sbs)