Re: Granting CONTROL_ACCESS Permissions to Non-Admin user

Here's what we're getting:

Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 10/31/2008
Time: 12:55:42 AM
User: MYDOMAIN\dotNETADUser
Computer: OCDANT001
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: group
Object Name: CN=WFR,OU=Domain Local,OU=Groups,DC=my,DC=domain,DC=com
Handle ID: -
Primary User Name: OCDANT001$
Primary Domain: MYDOMAIN
Primary Logon ID: (0x0,0x3E7)
Client User Name: dotNETADUser
Client Domain: MYDOMAIN
Client Logon ID: (0x0,0x43E944EF)
Accesses: Control Access

Properties:
---
Default property set
unixUserPassword
group

Additional Info:
Additional Info2:
Access Mask: 0x100

--
Sandy Wood
Orange County District Attorney


"Jorge de Almeida Pinto [MVP - DS]" wrote:

READ should be enough....

post the failure audit event

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message
news:5D3381D9-C261-4830-8D10-571DB4E0D86D@xxxxxxxxxxxxxxxx
OK, I believe I understand. I was under the impression that to Read the
Attributes from user objects in AD you would need more than just Read
permissions. We've been experimenting with various permissions, for a
service
account, to be able to bind to AD and read object properties. We've tried
Read Only and also put the service account into the Domain Admins group
and
still when it binds to AD and attempts to read an objects attributes it
gets
a Failure Audit.
--
Sandy Wood
Orange County District Attorney


"Jorge de Almeida Pinto [MVP - DS]" wrote:

no, it allows you to read attributes that have been configured as
confidential.

more info about that:
http://blogs.dirteam.com/blogs/tomek/archive/2008/03/11/confidential-attributes-windows-2008-follow-up.aspx
http://blogs.dirteam.com/blogs/tomek/archive/2005/11/21/confidential_bit.aspx
http://support.microsoft.com/kb/922836

if you are not using those attribs you do not need CA rights. Where did
you
get that from?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services #

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message
news:D9BEBB64-92F2-4C4D-BBB8-341BB864EB53@xxxxxxxxxxxxxxxx
Is CONTROL ACCESS a right that will allow read access to all object
properties?
--
Sandy Wood
Orange County District Attorney


"Jorge de Almeida Pinto [MVP - DS]" wrote:

you need at least READ and the CONTROL ACCESS right too if you want to
be
able to read info in confidential attributes

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Identity & Access - Directory Services
#

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* How to ask a question --> http://support.microsoft.com/?id=555375
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test ANY suggestion in a test environment before
implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

"Sandy Wood" <sandy.wood@xxxxxxxxxx> wrote in message
news:2E3F0A96-DEC7-4BCB-BA5F-21AE4EAB6981@xxxxxxxxxxxxxxxx
We're developing a program to access Active Directory and read all
our
objects and their attributes. We're using a service account to read
that
data
nightly and we're seeing a bunch of Event 566 Security Audit
Failures
when
the service account attempts to read each object. Service account is
only
a
member of Domain Users at this point.

I ran across a kb article http://support.microsoft.com/kb/922836
that
seems
to suggest that only Administrators can by default read the data
we're
looking for with this service accout. I don't want to put the user
into
the
Admins group but I'd like it to be able to read all the attributes
of
each
object in AD. Is there a best practice to do what we're trying to
do?
--
Sandy Wood
Orange County District Attorney




.

Relevant Pages