RE: [ActiveDir] Installation Priviledges only on a DC

Mon, 21 Jul 2003 17:03:29 -0700 

Yep - and that's what I concluded after seeing your last message and going
in and taking a look (Imagine - me actually LOOKING!)

Seems to be an odd contradiction, though.  We're going to allow you to
delegate permissions so that you can better manage your environment.  Oh,
but except here, and here, and here, and (ad infinitum), oh !  And then
there's Exchange.  You thought the OS was really screwed?  Hehe - you ain't
seen nuthin' yet!

>;-)

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Monday, July 21, 2003 6:32 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Installation Priviledges only on a DC

LOL. You kill me Rick...

I haven't heard of anyone yet who has "cracked" the internal AD DIT format.
Not sure how feasible it even is. However the flaw in this that the
inherited perms don't override the explicit's so it isn't even worth going
to this level of protection with the DIT because the front door is still
wide open.


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, July 19, 2003 10:31 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Installation Priviledges only on a DC


Then, given the end goal, (thinking here...might be a flaw) why not deny
that same group permissions to the %SystemRoot%\NTDS directory?  If the
issue is AD and then mucking with the AD files themselves on the DC, just
deny them.  Unless I'm mistaken (and given that I've just gotten up... It's
possible) the deny should override other permissions.

(Now, Joe - what am I missing...?? ;0)  )

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
 

List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ    : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Reply via email to