Re: Confidential Attribute -
- From: lansvcs <lansvcs@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 12 Feb 2007 05:36:00 -0800
excellent point, thank you for making it and reminding me of it.
"Joe Richards [MVP]" wrote:
No, it doesn't sound correct. But probably not for the reason you are.
thinking...
Anyone with an enhanced privilege ID should have at least two IDs. One
normal every day ID that is in the mail system and has the attributes
set specific to the person. One that has the enhanced rights. The
enhanced rights ID really shouldn't need much set on it except basic NOS
attributes. If you do this, you are far more secure and the
adminsdholder functionality has no impact on you.
If you have people who are admins, etc and they log into their
workstation and work daily from those accounts doing email and web
surfing, etc, that is a very bad thing.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
lansvcs wrote:
it looks to me like if i use the ldp from ADAM R2 and go thru the same
process they outline in 922386 for an OU for
CN=AdminSDHolder,CN=System,DC=MyDomain i end up granting the rights to view
these confidential attributes to the group i choose expicitily. Does that
seem correct?
"Joe Richards [MVP]" wrote:
Yep, and it actually will impact more than them, do a google for
adminsdholder.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
lansvcs wrote:
i have finally made it thru MSKB 922386 with a lot of help from Tomek's DS
world and folks in these new groups and i have the confidential attribute
working in my test domain. What i see is that if i apply the ACE to an OU
with user objects in it the rights are inherited by all of those users except
Domain Admins. Is this by design?
"Joe Richards [MVP]" wrote:
To view a Confidential attribute, you need RP and CA for the attribute.
The CA can be granted by giving CA to the entire object or by giving FC
to the object. The ONLY ways to grant CA at the attribute level right
now is through ADAM R2/SP1 LDP or via a script. ADSIEDIT nor DSACLS
knows how to do it.
DO NOT USE ADSI/NET based tools to test this initially. ADSI has its own
issues (and NET mostly thunks to ADSI). Use my adfind/admod or use LDP.
Once you see it working there then start playing with it through ADSI
tools and then if it screws up you know it is an ADSI issue (likely a
cache issue or something) and you can work on that.
joe
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
MIIS Query wrote:
HI Jorge
I have followed the same step. But there is a small differeny, I have not
created any Auxillary class, Added the Attribute to this class. Finally
Adding that auxillary class to user Class
I have created a attribute and converted to Confidential Attribute and
added to User Class.
Do i need to run DSALCs <Dn for Properly > /G <user or Group>:<WPRP> and
also assign the permission using LDP.exe. I have tried first giving the
permission on the attribute using DSACLS . It has not worked. Then i applied
the permission using ldp.exe.
if i check the DSACLS "DN for Attribute", It does display the global group
has the permission of read and write on the attribute. Is there anything to
do with the domain and forest functional role Or is there anything to do with
the global/Local/universal Groups.
I am still not able to delegate the read/write access to a specific user or
group which is not a part of Bultin Admin groups..
Regards
bob
"Jorge de Almeida Pinto [MVP - DS]" wrote:
I have tried it and it works for me
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:BC7810D1-C953-4F62-AAE9-2D9B9D112932@xxxxxxxxxxxxxxxx
Hello George
Thanks for your reply. I just tried exactly the same. its not working the
way i am expecting.. I want delegate the access control to global group
additional to Bultin Admin Groups. To Read/Write this attribute for a
specified user or group.
regards
bob
"Jorge de Almeida Pinto [MVP - DS]" wrote:
see:
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx
--
Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)
# Jorge de Almeida Pinto # MVP Windows Server - Directory Services
BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
"MIIS Query" <MIISQuery@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E3B81F27-9922-4F40-A312-F68AA8A58090@xxxxxxxxxxxxxxxx
Hi All
My Enviroment is Windows 2003 R2. My requirement is to creates couple
of
attribute and those attribute are very private and should have access
only
to
Admin or for sepcified user.
After Searing on Net, I ended with the 2003 SP1 feature of Confidential
Attribute, where it gives the option of Extending the schema attribute
as
confidential and delegate access to the specified users or group. As
mention
int he link below.
http://support.microsoft.com/kb/922836
This KB article say, the only tool to set DSACLS on the Attribute is
ldp.exe
which is from Windows R2 ADAM, But the DSACL i am able to set through
ADSIEDIT.MSC. This is the same ACL if i set using the ldp.exe using
SACL
method. Its confusing..
My problem here is ,
I have tried everything mentioned in the article. The Only problem is
the
Read/Write access to the confidential attribute is not working as
required
by
me. Have anyone tried of giving the rights on confidential attribute
or
normal Attribute access control.
Thanks for everyone who also read my question.
Regards
bob
- References:
- Re: Confidential Attribute -
- From: lansvcs
- Re: Confidential Attribute -
- From: Joe Richards [MVP]
- Re: Confidential Attribute -
- From: lansvcs
- Re: Confidential Attribute -
- From: Joe Richards [MVP]
- Re: Confidential Attribute -
- Prev by Date: Re: GPO Proxy with portables
- Next by Date: Re: Query disabled users and delete their memberof associations
- Previous by thread: Re: Confidential Attribute -
- Next by thread: Re: Cannot access create new Group Policy on \\domain\sysvol\
- Index(es):
Relevant Pages
|
Loading
