Re: Granting CONTROL_ACCESS Permissions to Non-Admin user

Tech-Archive recommends: Fix windows errors by optimizing your registry

READ should be enough....

post the failure audit event

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message news:5D3381D9-C261-4830-8D10-571DB4E0D86D@xxxxxxxxxxxxxxxx
OK, I believe I understand. I was under the impression that to Read the
Attributes from user objects in AD you would need more than just Read
permissions. We've been experimenting with various permissions, for a service
account, to be able to bind to AD and read object properties. We've tried
Read Only and also put the service account into the Domain Admins group and
still when it binds to AD and attempts to read an objects attributes it gets
a Failure Audit.
--
Sandy Wood
Orange County District Attorney


"Jorge de Almeida Pinto [MVP - DS]" wrote:

no, it allows you to read attributes that have been configured as
confidential.

more info about that:
http://blogs.dirteam.com/blogs/tomek/archive/2008/03/11/confidential-attributes-windows-2008-follow-up.aspx
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx
http://support.microsoft.com/kb/922836

if you are not using those attribs you do not need CA rights. Where did you
get that from?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message
news:D9BEBB64-92F2-4C4D-BBB8-341BB864EB53@xxxxxxxxxxxxxxxx
> Is CONTROL ACCESS a right that will allow read access to all object
> properties?
> -- > Sandy Wood
> Orange County District Attorney
>
>
> "Jorge de Almeida Pinto [MVP - DS]" wrote:
>
>> you need at least READ and the CONTROL ACCESS right too if you want to >> be
>> able to read info in confidential attributes
>>
>> -- >>
>> Cheers,
>> (HOPEFULLY THIS INFORMATION HELPS YOU!)
>>
>> # Jorge de Almeida Pinto # MVP Identity & Access - Directory Services >> #
>>
>> BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
>> BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
>> ------------------------------------------------------------------------------------------
>> * How to ask a question --> http://support.microsoft.com/?id=555375
>> ------------------------------------------------------------------------------------------
>> * This posting is provided "AS IS" with no warranties and confers no
>> rights!
>> * Always test ANY suggestion in a test environment before >> implementing!
>> ------------------------------------------------------------------------------------------
>> #################################################
>> #################################################
>> ------------------------------------------------------------------------------------------
>>
>> "Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message
>> news:2E3F0A96-DEC7-4BCB-BA5F-21AE4EAB6981@xxxxxxxxxxxxxxxx
>> > We're developing a program to access Active Directory and read all >> > our
>> > objects and their attributes. We're using a service account to read
>> > that
>> > data
>> > nightly and we're seeing a bunch of Event 566 Security Audit >> > Failures
>> > when
>> > the service account attempts to read each object. Service account is
>> > only
>> > a
>> > member of Domain Users at this point.
>> >
>> > I ran across a kb article http://support.microsoft.com/kb/922836 >> > that
>> > seems
>> > to suggest that only Administrators can by default read the data >> > we're
>> > looking for with this service accout. I don't want to put the user >> > into
>> > the
>> > Admins group but I'd like it to be able to read all the attributes >> > of
>> > each
>> > object in AD. Is there a best practice to do what we're trying to >> > do?
>> > -- >> > Sandy Wood
>> > Orange County District Attorney
>>
>>

.

Relevant Pages

  • Re: Granting CONTROL_ACCESS Permissions to Non-Admin user
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... "Sandy Wood" wrote in message ... > the service account attempts to read each object. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting CONTROL_ACCESS Permissions to Non-Admin user
    ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... * This posting is provided "AS IS" with no warranties and confers no rights! ... Always test ANY suggestion in a test environment before implementing! ... We're using a service account to read ...
    (microsoft.public.windows.server.active_directory)
  • Re: Granting CONTROL_ACCESS Permissions to Non-Admin user
    ... cn: UnixUserPassword ... Always test ANY suggestion in a test environment before implementing! ... > Read Only and also put the service account into the Domain Admins group ...
    (microsoft.public.windows.server.active_directory)
  • Re: Infrastructure FSMO role owner attibute not correct in root do
    ... I connected to the infrastructure FSMO role holder for the root ... I don't know i that was the real "fix" or just a coincidence or not though. ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ...
    (microsoft.public.windows.server.active_directory)
  • Re: Site link configuration question..
    ... "i have multiple BO link to the nearest HUB in a single Site Link?" ... BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx ... Always test ANY suggestion in a test environment before implementing! ... tCategory=siteLink" siteObjectBL ...
    (microsoft.public.windows.server.active_directory)