Re: Confidential Attribute -
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Fri, 09 Feb 2007 20:31:09 -0500
No, it doesn't sound correct. But probably not for the reason you are thinking...
Anyone with an enhanced privilege ID should have at least two IDs. One normal every day ID that is in the mail system and has the attributes set specific to the person. One that has the enhanced rights. The enhanced rights ID really shouldn't need much set on it except basic NOS attributes. If you do this, you are far more secure and the adminsdholder functionality has no impact on you.
If you have people who are admins, etc and they log into their workstation and work daily from those accounts doing email and web surfing, etc, that is a very bad thing.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
lansvcs wrote:
it looks to me like if i use the ldp from ADAM R2 and go thru the same process they outline in 922386 for an OU for CN=AdminSDHolder,CN=System,DC=MyDomain i end up granting the rights to view these confidential attributes to the group i choose expicitily. Does that seem correct?.
"Joe Richards [MVP]" wrote:
Yep, and it actually will impact more than them, do a google for adminsdholder.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
lansvcs wrote:i have finally made it thru MSKB 922386 with a lot of help from Tomek's DS world and folks in these new groups and i have the confidential attribute working in my test domain. What i see is that if i apply the ACE to an OU with user objects in it the rights are inherited by all of those users except Domain Admins. Is this by design?
"Joe Richards [MVP]" wrote:
To view a Confidential attribute, you need RP and CA for the attribute. The CA can be granted by giving CA to the entire object or by giving FC to the object. The ONLY ways to grant CA at the attribute level right now is through ADAM R2/SP1 LDP or via a script. ADSIEDIT nor DSACLS knows how to do it.
DO NOT USE ADSI/NET based tools to test this initially. ADSI has its own issues (and NET mostly thunks to ADSI). Use my adfind/admod or use LDP. Once you see it working there then start playing with it through ADSI tools and then if it screws up you know it is an ADSI issue (likely a cache issue or something) and you can work on that.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
MIIS Query wrote:HI Jorge
I have followed the same step. But there is a small differeny, I have not created any Auxillary class, Added the Attribute to this class. Finally Adding that auxillary class to user Class
I have created a attribute and converted to Confidential Attribute and added to User Class.
Do i need to run DSALCs <Dn for Properly > /G <user or Group>:<WPRP> and also assign the permission using LDP.exe. I have tried first giving the permission on the attribute using DSACLS . It has not worked. Then i applied the permission using ldp.exe.
if i check the DSACLS "DN for Attribute", It does display the global group has the permission of read and write on the attribute. Is there anything to do with the domain and forest functional role Or is there anything to do with the global/Local/universal Groups.
I am still not able to delegate the read/write access to a specific user or group which is not a part of Bultin Admin groups..
Regards
bob
"Jorge de Almeida Pinto [MVP - DS]" wrote:
I have tried it and it works for me
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:BC7810D1-C953-4F62-AAE9-2D9B9D112932@xxxxxxxxxxxxxxxxHello George
Thanks for your reply. I just tried exactly the same. its not working the
way i am expecting.. I want delegate the access control to global group
additional to Bultin Admin Groups. To Read/Write this attribute for a
specified user or group.
regards
bob
"Jorge de Almeida Pinto [MVP - DS]" wrote:
see:
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3B81F27-9922-4F40-A312-F68AA8A58090@xxxxxxxxxxxxxxxxHi All
My Enviroment is Windows 2003 R2. My requirement is to creates couple of
attribute and those attribute are very private and should have access only
to
Admin or for sepcified user.
After Searing on Net, I ended with the 2003 SP1 feature of Confidential
Attribute, where it gives the option of Extending the schema attribute as
confidential and delegate access to the specified users or group. As
mention
int he link below.
http://support.microsoft.com/kb/922836
This KB article say, the only tool to set DSACLS on the Attribute is
ldp.exe
which is from Windows R2 ADAM, But the DSACL i am able to set through
ADSIEDIT.MSC. This is the same ACL if i set using the ldp.exe using SACL
method. Its confusing..
My problem here is ,
I have tried everything mentioned in the article. The Only problem is the
Read/Write access to the confidential attribute is not working as required
by
me. Have anyone tried of giving the rights on confidential attribute or
normal Attribute access control.
Thanks for everyone who also read my question.
Regards
bob
- Follow-Ups:
- Re: Confidential Attribute -
- From: lansvcs
- Re: Confidential Attribute -
- References:
- Re: Confidential Attribute -
- From: lansvcs
- Re: Confidential Attribute -
- From: Joe Richards [MVP]
- Re: Confidential Attribute -
- From: lansvcs
- Re: Confidential Attribute -
- Prev by Date: Re: Query disabled users and delete their memberof associations
- Next by Date: Re: AD automove of objects
- Previous by thread: Re: Confidential Attribute -
- Next by thread: Re: Confidential Attribute -
- Index(es):
Relevant Pages
|
