Re: Confidential Attribute -

---

• From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
• Date: Thu, 08 Feb 2007 23:24:54 -0500

---

Yep, and it actually will impact more than them, do a google for adminsdholder.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


lansvcs wrote:

i have finally made it thru MSKB 922386 with a lot of help from Tomek's DS world and folks in these new groups and i have the confidential attribute working in my test domain. What i see is that if i apply the ACE to an OU with user objects in it the rights are inherited by all of those users except Domain Admins. Is this by design?

"Joe Richards [MVP]" wrote:

To view a Confidential attribute, you need RP and CA for the attribute. The CA can be granted by giving CA to the entire object or by giving FC to the object. The ONLY ways to grant CA at the attribute level right now is through ADAM R2/SP1 LDP or via a script. ADSIEDIT nor DSACLS knows how to do it.

DO NOT USE ADSI/NET based tools to test this initially. ADSI has its own issues (and NET mostly thunks to ADSI). Use my adfind/admod or use LDP. Once you see it working there then start playing with it through ADSI tools and then if it screws up you know it is an ADSI issue (likely a cache issue or something) and you can work on that.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


MIIS Query wrote:

HI Jorge
I have followed the same step. But there is a small differeny, I have not created any Auxillary class, Added the Attribute to this class. Finally Adding that auxillary class to user Class

I have created a attribute and converted to Confidential Attribute and added to User Class.

Do i need to run DSALCs <Dn for Properly > /G <user or Group>:<WPRP> and also assign the permission using LDP.exe. I have tried first giving the permission on the attribute using DSACLS . It has not worked. Then i applied the permission using ldp.exe.

if i check the DSACLS "DN for Attribute", It does display the global group has the permission of read and write on the attribute. Is there anything to do with the domain and forest functional role Or is there anything to do with the global/Local/universal Groups.


I am still not able to delegate the read/write access to a specific user or group which is not a part of Bultin Admin groups..

Regards
bob









"Jorge de Almeida Pinto [MVP - DS]" wrote:

I have tried it and it works for me

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:BC7810D1-C953-4F62-AAE9-2D9B9D112932@xxxxxxxxxxxxxxxx

Hello George

Thanks for your reply. I just tried exactly the same. its not working the
way i am expecting.. I want delegate the access control to global group
additional to Bultin Admin Groups. To Read/Write this attribute for a
specified user or group.

regards
bob



"Jorge de Almeida Pinto [MVP - DS]" wrote:

see:
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3B81F27-9922-4F40-A312-F68AA8A58090@xxxxxxxxxxxxxxxx

Hi All

My Enviroment is Windows 2003 R2. My requirement is to creates couple of
attribute and those attribute are very private and should have access only
to
Admin or for sepcified user.

After Searing on Net, I ended with the 2003 SP1 feature of Confidential
Attribute, where it gives the option of Extending the schema attribute as
confidential and delegate access to the specified users or group. As
mention
int he link below.
http://support.microsoft.com/kb/922836
This KB article say, the only tool to set DSACLS on the Attribute is
ldp.exe
which is from Windows R2 ADAM, But the DSACL i am able to set through
ADSIEDIT.MSC. This is the same ACL if i set using the ldp.exe using SACL
method. Its confusing..

My problem here is ,

I have tried everything mentioned in the article. The Only problem is the
Read/Write access to the confidential attribute is not working as required
by
me. Have anyone tried of giving the rights on confidential attribute or
normal Attribute access control.

Thanks for everyone who also read my question.

Regards
bob

.

---

• Follow-Ups:
  • Re: Confidential Attribute -
    • From: lansvcs

• References:
  • Re: Confidential Attribute -
    • From: lansvcs

• Prev by Date: Re: Resetting AD Restore Password
• Next by Date: Re: File permissions based on machine?
• Previous by thread: Re: Confidential Attribute -
• Next by thread: Re: Confidential Attribute -
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Confidential Attribute - ... Joe Richards Microsoft MVP Windows Server Directory Services ... with user objects in it the rights are inherited by all of those users except ... ADSIEDIT nor DSACLS ... (microsoft.public.windows.server.active_directory) Re: Where is the information regrading the domain controller store ... Joe Richards Microsoft MVP Windows Server Directory Services ... I was thinking that the easiest way would be to, some how, access the folder location and move it back. ... (microsoft.public.win2000.active_directory) Re: Confidential Attribute - ... The enhanced rights ID really shouldn't need much set on it except basic NOS attributes. ... Joe Richards Microsoft MVP Windows Server Directory Services ... I have tried first giving the permission on the attribute using DSACLS. ... (microsoft.public.windows.server.active_directory) Re: Confidential Attribute - ... One that has the enhanced rights. ... Joe Richards Microsoft MVP Windows Server Directory Services ... ADSIEDIT nor DSACLS ... (microsoft.public.windows.server.active_directory) Re: KDC error -- dublicte serviceprincipalname ... Joe Richards Microsoft MVP Windows Server Directory Services ... >> Joe Richards Microsoft MVP Windows Server Directory Services ... (microsoft.public.win2000.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2007-02