Re: ADAM And ACLs
- From: Jeffrey Harris <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx>
- Date: Mon, 11 Jun 2007 07:43:02 -0700
The ACLs for the OU which is the parent of the object below are:
Access list:
Effective Permissions on this object are:
Allow S-1-5-21-3013086009-883604043-722006813-1960
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow S-1-5-21-3013086009-883604043-722006813-1881
FULL CONTROL <Inherited from parent>
Allow S-1-409265669-1161665695-514
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow S-1-409265669-1161665695-512
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE SELF
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow S-1-5-21-3013086009-883604043-722006813-1960
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow S-1-5-21-3013086009-883604043-722006813-1881
FULL CONTROL <Inherited from parent>
Allow S-1-409265669-1161665695-514
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow S-1-409265669-1161665695-512
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE SELF
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
The acls for a user account in the OU above are
Access list:
Effective Permissions on this object are:
Allow S-1-409265669-1161665695-512 FULL CONTROL
Allow S-1-5-11 SPECIAL
ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow S-1-5-18
FULL CONTROL
Allow S-1-5-21-3013086009-883604043-722006813-1960
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow S-1-5-21-3013086009-883604043-722006813-1881
FULL CONTROL <Inherited from parent>
Allow S-1-409265669-1161665695-514
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow S-1-409265669-1161665695-512
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE SELF
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow S-1-5-21-3013086009-883604043-722006813-1960
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow S-1-5-21-3013086009-883604043-722006813-1881
FULL CONTROL <Inherited from parent>
Allow S-1-409265669-1161665695-514
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow S-1-409265669-1161665695-512
SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
WRITE PERMISSIONS
LIST CONTENTS
WRITE SELF
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
"Lee Flight" wrote:
Hi.
that Administrators ACE is not domain Admins it's the ADAM Admins
for the naming context and is usually present by inheritance, the AU ACEs
are not standard. As joe said we would need to see DSACLs dump of
a user object
dsacls \\adamserver:adamport\cn=user1,ou=whatever,<restof DN here>
Lee Flight
"Jeffrey Harris" <1Jeffrey1.1Harris1@xxxxxxxxxxxxxxxx> wrote in message
news:3468B2BD-9B96-44A8-8636-A559F9FB5F4A@xxxxxxxxxxxxxxxx
First,
A user object has 11 ACEs in the ACL, and its parent OU object has 8.
All of the inherited ACEs are there for both the parent OU object and its
children user objects, as they should be. However, the user objects have
three additional ACEs, which are not inherited, and which we did not
explicitly set:
CN=Administrators,CN=Roles,<partition DN>, full control
NT AUTHORITY\Authenticated Users, read
NT AUTHORITY\Authenticated Users, full control
The one that concerns us the most is the administrators role. We do not
want our domain administrators (as a group) to have access to our ADAM
instances. Instead, we have defined a special group of Directory
Administrators at the domain level, and assigned them the necessary
permissions to the directory (and that permission is inherited down to the
user object). Yet we have 10s of thousands of user objects in the
directory,
and we do not want to have to change each one individually.
Is there a way to remove these ACEs all at once?
Furthermore, the Administrators role owns all the objects in the
directory,
and is the group associated with the entry. Is there a way to make an en
masse change to the owners and group fields?
Thanks.
--
Jeffrey Harris, MCSE W2K.
Please remove the '1's from the e-mail address before sending.
"Joe Richards [MVP]" wrote:
Not until you give specifics on what you actually set. Better yet, get a
dsacls dump of a container holding user objects and a dsacls dump of the
user object and what you think is on the container object SD that should
be in the user object SD that isn't.
--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net
---O'Reilly Active Directory Third Edition now available---
http://www.joeware.net/win/ad3e.htm
Jeffrey Harris wrote:
We have a strange problem with our ADAM servers. We have configured
custom
ACIs at the root of the directory, and enabled propagation of those
ACIs.
The ACIs are propagated to the OUs in the tree correctly. However,
user
objects have a different ACL that does not reflect what is in the
parent OU
objects, and these user object all have inherited ACLs.
Can anyone explain what is happening, and what can be done to fix this?
Thanks.
- Follow-Ups:
- Re: ADAM And ACLs
- From: Lee Flight
- Re: ADAM And ACLs
- References:
- Re: ADAM And ACLs
- From: Jeffrey Harris
- Re: ADAM And ACLs
- From: Lee Flight
- Re: ADAM And ACLs
- Prev by Date: Re: "Spare" offline DC - bringing it back
- Next by Date: Re: Windows cannot verify >>>
- Previous by thread: Re: ADAM And ACLs
- Next by thread: Re: ADAM And ACLs
- Index(es):
Relevant Pages
|
