Re: ADAM - Schema Admins?

From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
Date: Fri, 8 Jun 2007 17:14:43 +0100

Hi

members of the Administrators role in the ADAM configuration naming context
are Schema Admins. However the application naming context Admins are not
Schema Admins so the question is do you need to distinguish config NC
admins from Schema Admins? Bear in mind that if you do create a Schema
Admins role who will control it's membership, it would probably make sense
only if membership was controlled by another group (not config NC admins)
or the Schema Admins themselves. Also you will need to revoke default
permissions on schema for configNC admins, should be OK but I have
never run in that configuration in production.

If you think it still worth investigating then install a test ADAM instance,
run ldp and bind to the instance, right-click schema NC -> Advanced
-> Security descriptor and look at the ACE that is set for
cn=Administrators.
You want to duplicate that ACE for a domain group or ADAM role
that you intend to use as ADAM Schema Admins. It's basically an access
mask of everything except delete, set to inherit down the schema tree.
Post back if you need more help.

Lee Flight

"Thorsten Schmitt" <schmitt_thorsten@xxxxxxxxxxx> wrote in message
news:eYqX$WUqHHA.1296@xxxxxxxxxxxxxxxxxxxxxxx

Hi,

ist there a way to differ between "normal" ADAM Aministrators and
Administrators with Permissions to change the Schema? It would be helpful
to have permissions like the Active Directory Group "Schema
Administrators" and to be able to have different Administrators for normal
tasks and Schema Tasks.
Anay ideas? Maybe.. .settings ACL.. but which and where and how...?

Thanks and best Regards,
Thorsten

Follow-Ups:
- Re: ADAM - Schema Admins?
  - From: Thorsten Schmitt

References:
- ADAM - Schema Admins?
  - From: Thorsten Schmitt

Prev by Date: Re: 2000 Native Mode
Next by Date: Re: Can not login on DC
Previous by thread: ADAM - Schema Admins?
Next by thread: Re: ADAM - Schema Admins?
Index(es):
- Date
- Thread

Relevant Pages

Re: Synchronize only attributes you want ADAMSync
... schema to be only the user and Organizational-Unit classes (plus ... attributes still sync their values into my ADAM schema, ... Updating the configuration file DirSync cookie with a new value. ...
(microsoft.public.windows.server.active_directory)
Re: Synchronize only attributes you want ADAMSync
... schema to be only the user and Organizational-Unit classes (plus ... attributes still sync their values into my ADAM schema, ... Updating the configuration file DirSync cookie with a new value. ...
(microsoft.public.windows.server.active_directory)
Re: ADAMSync not synching
... here is the configuration xml file I loaded... ... is just a base W2k3 AD schema that is less relevant that the source AD ... a fresh ADAM install as below it could be that something in your XML config ...
(microsoft.public.windows.server.active_directory)
Re: ADAM - Schema Admins?
... It is a reuqest of a customer who hosts the ADAM at a hoster. ... Schema Admins so the question is do you need to distinguish config NC ... never run in that configuration in production. ...
(microsoft.public.windows.server.active_directory)
Re: SBSSERVERS
... It specifically needs to be run on the Domain Controller that holds the FSMO ... Role of Schema Master. ... since the Administrator account object is - by default - ... a member of the Domain Admins, Enterprise Admins and Schema Admins this ...
(microsoft.public.windows.server.sbs)