Joe wrote:
Cool Sakari, if you don't mind I made some small mods to it. I have it
preload the attributes and then the lookups go much faster.
No, I don't mind. I made the original to be able to investigate things for our
book, and I only needed to run the script a couple of times. Therefore,
Absolutely. Knock yourself out Sakari. :)
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti
Sent: Saturday, May 21, 2005 1:07 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Joe
@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
The interesting thing is that the permissions of the newly created GP
Objects are not inherited neither from the System\Policies container in the
default NC, nor from the Policies folder in the SYSVOL. The permissions
Sent: Thursday, May 12, 2005 10:01 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Right. And joe thinks I asked this question because I didn't know. ;o)
There are interesting idiosyncrasies with the built-in and default groups
Sent: Thursday, May 12, 2005 10:23 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Now that Joe brought this up, I uploaded a script that does this enumeration
on http://www.kouti.com/scripts.htm (at the bottom of the page).
You need only
@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
joe wrote:
Another mistake with the property sets in the base OEM setup is the
property set called Phone and Mail Options
(E45795B2-9455-11d1-AEBD-F80367C1) - no attributes in this
property set at all
Of Grillenmeier, Guido
Sent: Thursday, May 12, 2005 12:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
I do understand - that's what documentation is for... But I tend to agree
that documentation lacks in many places. However, you don't only
-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of joe
Sent: Thursday, May 12, 2005 3:40 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set
Madness
Let's take, for example Group Policy Creator Owner. How is this
built
How many consultants on this list actually could enumerate
the property set attributes in a given forest in any reasonable
time? I can do it pretty quickly with adfind and little perl
script. Not sure of any other easy ways of doing it due to
the funky GUID handling.
Now that Joe
joe wrote:
Another mistake with the property sets in the base OEM setup
is the property set called Phone and Mail Options
(E45795B2-9455-11d1-AEBD-F80367C1) - no attributes in this
property set at all... Must not have any phone or mail
attributes in AD.
I actually reported this to
to the default if the default is unacceptable to you.
/Guido
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Donnerstag, 12. Mai 2005 02:32
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Yep
IIRC and ... I should say, I'm only like 37% sure of this, as AD schema
stuff is one of my poor suits, it is NOT one ACE when you grant access
to a property set, it is access to each individual attribute. Property
sets are a lie told to you by the UI. I feel like I was told this once,
but I
: [ActiveDir] [OnTopic] Active Directory Property
Set Madness
IIRC and ... I should say, I'm only like 37% sure of this, as
AD schema
stuff is one of my poor suits, it is NOT one ACE when you
grant access
to a property set, it is access to each individual attribute. Property
sets
PROTECTED] On Behalf Of Sakari Kouti
Sent: Mittwoch, 11. Mai 2005 13:12
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set Madness
Hi Brett (and joe),
Actually, granting (or denying) permission to one property set takes
only one ACE.
Each property
GPOs?
-rtk
-Original Message-
From: [EMAIL PROTECTED] [mailto:ActiveDir-
[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Wednesday, May 11, 2005 4:03 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] [OnTopic] Active Directory Property Set
Madness
Hey joe
I feel like I was told this once,
but I could be making it up in a sleepy haze ...
Yep, I can confirm, a
property set gets one ACE in the ACL. To show it, I simplified an ACL on an OU
to SYSTEM FC, ADMINS FC, and joe\joe Public Information. Here is the dsacls and
raw SDDL output[Wed
16 matches
Mail list logo
