Re: ADAM And ACLs

First,

A user object has 11 ACEs in the ACL, and its parent OU object has 8.

All of the inherited ACEs are there for both the parent OU object and its
children user objects, as they should be. However, the user objects have
three additional ACEs, which are not inherited, and which we did not
explicitly set:

CN=Administrators,CN=Roles,<partition DN>, full control
NT AUTHORITY\Authenticated Users, read
NT AUTHORITY\Authenticated Users, full control

The one that concerns us the most is the administrators role. We do not
want our domain administrators (as a group) to have access to our ADAM
instances. Instead, we have defined a special group of Directory
Administrators at the domain level, and assigned them the necessary
permissions to the directory (and that permission is inherited down to the
user object). Yet we have 10s of thousands of user objects in the directory,
and we do not want to have to change each one individually.

Is there a way to remove these ACEs all at once?

Furthermore, the Administrators role owns all the objects in the directory,
and is the group associated with the entry. Is there a way to make an en
masse change to the owners and group fields?

Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.


"Joe Richards [MVP]" wrote:

Not until you give specifics on what you actually set. Better yet, get a
dsacls dump of a container holding user objects and a dsacls dump of the
user object and what you think is on the container object SD that should
be in the user object SD that isn't.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


Jeffrey Harris wrote:
We have a strange problem with our ADAM servers. We have configured custom
ACIs at the root of the directory, and enabled propagation of those ACIs.

The ACIs are propagated to the OUs in the tree correctly. However, user
objects have a different ACL that does not reflect what is in the parent OU
objects, and these user object all have inherited ACLs.

Can anyone explain what is happening, and what can be done to fix this?

Thanks.

.

Relevant Pages

  • Re: ADAM And ACLs
    ... for the naming context and is usually present by inheritance, ... A user object has 11 ACEs in the ACL, and its parent OU object has 8. ... The one that concerns us the most is the administrators role. ...
    (microsoft.public.windows.server.active_directory)
  • Re: if user in OU=Managers then...
    ... Their user object resides in a container or OU, ... Parse the Distinguished Name of the user for the DN of the parent ... retrieve the AdsPath of the parent container/OU. ... ' Retrieve AdsPath of parent container/OU. ...
    (microsoft.public.scripting.vbscript)
  • Re: Disappearing permissions
    ... >member of a protected group with the ACL defined on the ... If the ACL on the user object is ... >on the adminSDHolder object, the ACL on the user object ... >Protected Groups and the adminSDHolder object: ...
    (microsoft.public.windows.server.active_directory)
  • Re: User Account Template Default Permissions
    ... Are you talking about the acl on the user object in AD or about the ... NTFS acl created on the users home folder? ...
    (microsoft.public.windows.server.active_directory)
  • Re: display the OU for a specific User
    ... have the full path of this object in the Active Directory OU structure. ... user, then binds to this user object in Active Directory, then binds to the ... "parent" object and displays the distinguished name of the ...
    (microsoft.public.windows.server.scripting)
Loading