LOL. You kill me Rick... I haven't heard of anyone yet who has "cracked" the internal AD DIT format. Not sure how feasible it even is. However the flaw in this that the inherited perms don't override the explicit's so it isn't even worth going to this level of protection with the DIT because the front door is still wide open.
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
