HAHAHA. Yep. I like the inherited/explicit method, just wish there were A LOT fewer explicit ACE's by default. Maybe MS could produce a Secure AD pack which goes back through and locks AD all down with instructions on how to open it back up with inherited ACE's for various things. It tightens down the schema default SD's and cleans up the entire AD and its current perms. Also it adds a new object called ServerComputer and allows different delegation for them than workstations which maintain the old Computer object class.
I don't really see anyone outside of MS doing this because of the fear of non-support and the lack of documentation for what a lot of the AD properties even do. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Monday, July 21, 2003 8:04 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Yep - and that's what I concluded after seeing your last message and going in and taking a look (Imagine - me actually LOOKING!) Seems to be an odd contradiction, though. We're going to allow you to delegate permissions so that you can better manage your environment. Oh, but except here, and here, and here, and (ad infinitum), oh ! And then there's Exchange. You thought the OS was really screwed? Hehe - you ain't seen nuthin' yet! >;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Monday, July 21, 2003 6:32 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC LOL. You kill me Rick... I haven't heard of anyone yet who has "cracked" the internal AD DIT format. Not sure how feasible it even is. However the flaw in this that the inherited perms don't override the explicit's so it isn't even worth going to this level of protection with the DIT because the front door is still wide open. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, July 19, 2003 10:31 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Installation Priviledges only on a DC Then, given the end goal, (thinking here...might be a flaw) why not deny that same group permissions to the %SystemRoot%\NTDS directory? If the issue is AD and then mucking with the AD files themselves on the DC, just deny them. Unless I'm mistaken (and given that I've just gotten up... It's possible) the deny should override other permissions. (Now, Joe - what am I missing...?? ;0) ) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
