Brian, Funny - (well, to a simpleton like me at least....) but I realized this once I got to work and had to chance to actually LOOK at your product. Yep - right there is a big ole button called Set Owner. This button in AA, the discussion here, all prompted me to start looking. And yeah, I found what you just repeated here. Pretty easy in AD, but a bit more difficult (but quite do-able) in NTFS.
BTW, I really LIKE AA. As to the original question, I can't find any direct way to prevent a delegate from 'disengaging' and setting his/her own path. I, too, agree with Tony. (Tony being the really smart guy that he is - me, I'm the simpleton, remember? :-) ) Currently, I do see this as a hole in the delegation structure of the OUs. Needs to be addressed and I'm sure that we're too far into .Net to do anything now. But, it can go on the 'wish list' for Longhorn - which will be along around 2005 - 2006. Thanks for the input, Brian. And keep up the good work down there in Fla. I'm taking a serious look at AA, Sec Reporter and Sec Disc. Looking PRETTY good. Rick Kingslan - Microsoft MVP [Windows NT/2000] Microsoft Certified Trainer MCSA, MCSE+I - Windows NT / 2000 "Any sufficiently advanced technology is indistinguishable from magic." --- Arthur C. Clarke > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED]] On Behalf Of > Brian T. Small > Sent: Friday, September 20, 2002 11:23 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] setting/restricting permissions on > objects in OU tree > > > Rick, > > We provide a "set owner" function for AD in our Active > Administrator product. It's actually a very simple thing to > do - use the SetNamedSecurityInfo API and provide the sid to > the new owner - that's it. It was actually more difficult to > write the code for setting the owner on NTFS. > > Getting back to the original request, I think he was asking > for a way to allow someone to create an OU, but then disallow > him from changing security on that object. I agree with Tony > - the only way I see to do this is to create a "proxy" to > create the OU, or make them submit a work order for the > creation of OUs (more work for "real" administrators, > though). It doesn't matter what you put in the ACL (Deny > Write Permissions, etc) - as long as he is the owner, he can > do anything. Maybe a process running on the domain > controllers, waiting for AD objects to be created and > immediately setting the owner to BUILTIN\Administrators? > Doesn't sound very realistic, though :) > > All the best, > > Brian Small > President > > ====================== > Small Wonders Software > [EMAIL PROTECTED] > http://www.smallwonders.com > 407.647.4555 : voice > 407.647.9029 : fax > ====================== > > IMPORTANT - This e-mail message (and attachments) may contain > information that is confidential to Small Wonders Software. > If you are not the intended recipient you cannot use, > distribute or copy the message or attachments. In such a > case, please notify the sender by return e-mail immediately > and erase all copies of the message and attachments. > Opinions, conclusions and other information in this message > and attachments that do not relate to the official business > of Small Wonders Software are neither given nor endorsed by it. > > > > > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > Sent: Friday, September 20, 2002 9:26 AM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] setting/restricting permissions on > objects in OU tree > > Darren, Tony - > > Interesting thought. At this point, just to clarify, until I > see something that convinces me otherwise (API, code example, > tool) Ownership must be taken, not given. Let me explain why > it SHOULD be this way and not allowed to be circumvented. > > I take ownership of the payroll records. I give myself a 7 > digit slaray, then assign ownership back to the original > owner. (Granted - if IT SEC or the Payroll dept. has half a > brain, these files are going to be audited anyway...). This > is why I stand behind ownership needing to be taken, but not > being able to ASSIGN. By default, all files are initially > assigned to the Administrator at setup. > > Now as to AD objects, I still need to take a walk through the > AD with DSACLS to see if I can find the answer for Michael. > Time constraints and 24 hr. days suck. :-) > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > Microsoft Certified Trainer > MCSA, MCSE+I - Windows NT / 2000 > > "Any sufficiently advanced technology > is indistinguishable from magic." > --- Arthur C. Clarke > > > > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED]] On Behalf Of > Darren Sykes > > Sent: Friday, September 20, 2002 7:32 AM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] setting/restricting permissions on > > objects in OU tree > > > > > > I fully understand the theory behind ownership, however on > > NTFS permissions, this could be manipulated. Look at number > > 16) on http://www.giant-technologies.co.uk/quotaadvisor/ > > which mentions the utility they provide. Presumably a dACL on > > a file will by the same structure as those on an AD object? > > > > Darren. > > > > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED]] > > Sent: 20 September 2002 13:23 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] setting/restricting permissions on > > objects in OU tree > > > > No, I'm not sure - just going on what I've read. It would > > make sense from a security point of view though. If I can > > only _take_ ownership then it's pretty clear that I am the > > authentic owner. However, if I can assign ownership to > > anyone and everyone then the concept of owner authenticity > disappears. > > > > Tony > > ---------- Original Message ---------------------------------- > > From: "Darren Sykes" <[EMAIL PROTECTED]> > > Reply-To: [EMAIL PROTECTED] > > Date: Fri, 20 Sep 2002 13:00:23 +0100 > > > > Tony, > > > > Are you sure ownership can't be given away? That wasn't my > > understanding (though it's what you'll read in Microsoft's > > MCSE books). AFAIK, there's nothing in the API which will > > prevent you from doing this, just the GUI. > > > > There are 3rd party applications which add this functionality > > (Quota software if I remember rightly, as quotas are assigned > > to the owner of an object). So perhaps coding would be possible? > > > > Darren. > > > > > > -----Original Message----- > > From: Tony Murray [mailto:[EMAIL PROTECTED]] > > Sent: 20 September 2002 12:57 > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] setting/restricting permissions on > > objects in OU tree > > > > If I understand this correctly, the issue here is that the > > creator of an object is automatically designated as the Owner > > of the object. Through ownership of the object this person > > has certain permissions that you don't really want them to have. > > > > I don't have a neat solution this, but perhaps there are some > > workarounds, e.g. > > > > 1. Provide a tool (e.g. web based) that allows people with > > delegated permissions to create the objects they are allowed > > to, but use a protected account to actually perform the > > object creation. In other words, the tool acts as > > intermediary. It checks the credentials of the user > > requesting the creation against the ACL and, if the account > > has the required permission, the tool will create the object > > using the protected account. > > > > 2. Use a protected account to take ownership of objects > > shortly after they have been created. I don't like this > > approach as the only way that I know to change ownership is > > to actually take it by clicking - it can't be given away. > > > > Tony > > > > ---------- Original Message ---------------------------------- > > From: [EMAIL PROTECTED] > > Reply-To: [EMAIL PROTECTED] > > Date: Fri, 20 Sep 2002 11:58:17 +1000 > > > > Rick, > > Any further ideas? > > Gil? > > > > Michael Homsey > > Telecommunications and Industrial Physics > > CSIRO, Australia > > > > > > -----Original Message----- > > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > > Sent: Tuesday, 17 September 2002 2:16 PM > > To: [EMAIL PROTECTED] > > Subject: RE: [ActiveDir] setting/restricting permissions on > > objects in OU tree > > > > Michael, > > > > Good question here, and one that I haven't run into - hence > > don't have an answer. 10 minutes of looking at my references > > didn't turn up anything. I'll keep looking, because I > > remember reading something about this andit's kinda bugging me now. > > > > Gil, if you're reading this - what do you know about this? > > > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > > Microsoft Certified Trainer > > MCSA, MCSE+I - Windows NT / 2000 > > > > "Any sufficiently advanced technology > > is indistinguishable from magic." > > --- Arthur C. Clarke > > > > > > > > > > > > > -----Original Message----- > > > From: [EMAIL PROTECTED] > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > [EMAIL PROTECTED] > > > Sent: Monday, September 16, 2002 9:53 PM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] setting/restricting permissions on > > > objects in OU tree > > > > > > > > > Thanks Rick, > > > there must be something i am missing. > > > I can restrict the changes to the immediate OU so its permissions > > > cannot be changed. I can restrict the objects created (eg > nesting of > > > OUs ) and the computer objects. However, if I create a sub-ou, it > > > allows me to disconnect the inherited permissions with the check > > > box. which privelege turns this off? > > > > > > Michael Homsey > > > > > > -----Original Message----- > > > From: Rick Kingslan [mailto:[EMAIL PROTECTED]] > > > Sent: Monday, 16 September 2002 9:48 AM > > > To: [EMAIL PROTECTED] > > > Subject: RE: [ActiveDir] setting/restricting permissions > on objects > > > in OU tree > > > > > > > > > Go to the advanced ACLs of the user / group that you want > to remove > > > the ability to change permissions and remove the 'Modify > > > Permissions' permission at that level. > > > > > > This must be done in the Advanced mode of the Security of the > > > object(s) that you want to affect. > > > > > > Rick Kingslan - Microsoft MVP [Windows NT/2000] > > > Microsoft Certified Trainer > > > MCSA, MCSE+I - Windows NT / 2000 > > > > > > "Any sufficiently advanced technology > > > is indistinguishable from magic." > > > --- Arthur C. Clarke > > > > > > > > > > > > > > > > > > > -----Original Message----- > > > > From: [EMAIL PROTECTED] > > > > [mailto:[EMAIL PROTECTED]] On Behalf Of > > > > [EMAIL PROTECTED] > > > > Sent: Sunday, September 15, 2002 6:17 PM > > > > To: [EMAIL PROTECTED] > > > > Subject: [ActiveDir] setting/restricting permissions on > > > > objects in OU tree > > > > > > > > > > > > Dear all, > > > > > > > > I wish to be able to delegate the creation of OUs and specific > > > > objects in an OU tree. Giving the permission to create an > > OU allows > > > > the creator to change permissions and cirumvent controls > > on the OU > > > > subtree. > > > > > > > > If I wanted peopleto manage a certain type of object eg > > > > create/deleet computer accounts full control of > computer accounts > > > > > > > > create delete sub OUs, but not change permissions so that > > they could > > > > create delete people objects, > > > > > > > > Whats set of permissiosn are need on the parent oU to > > achieve this? > > > > > > > > > > > > Michael Homsey > > > > CSIRO Australia > > > > List info : http://www.activedir.org/mail_list.htm > > > > List FAQ : http://www.activedir.org/list_faq.htm > > > > List archive: > > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > List info : > > > http://www.activedir.org/mail_list.htm > > > List FAQ : http://www.activedir.org/list_faq.htm > > > List archive: > > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > ************************************************************** > > ********** > > ******************************** > > This e-mail is from Energis Communications Ltd, 50 Victoria > > Embankment, > > London, EC4Y 0DE, United > > Kingdom, No: 2630471. > > > > This e-mail is confidential to the addressee and may be > > privileged. The > > views > > expressed are personal and do not necessarily reflect those > > of Energis. > > If you are not > > the intended recipient please notify the sender immediately > by calling > > our switchboard on > > +44 (0) 20 7206 5555 and do not disclose to another person or > > use, copy > > or forward > > all or any of it in any form. > > > > ************************************************************** > > ********** > > ******************************** > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > > > > > ************************************************************** > > ****************************************** > > This e-mail is from Energis Communications Ltd, 50 Victoria > > Embankment, London, EC4Y 0DE, United > > Kingdom, No: 2630471. > > > > This e-mail is confidential to the addressee and may be > > privileged. The views > > expressed are personal and do not necessarily reflect those > > of Energis. If you are not > > the intended recipient please notify the sender immediately > > by calling our switchboard on > > +44 (0) 20 7206 5555 and do not disclose to another person or > > use, copy or forward > > all or any of it in any form. > > > > ************************************************************** > > ****************************************** > > List info : http://www.activedir.org/mail_list.htm > > List FAQ : http://www.activedir.org/list_faq.htm > > List archive: > > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
