In another thread, Guido wrote "=> people shouldn't grant full control on OUs to local admins."
which was timely for me, as I was messing around in our test environment with various permissions scenarios. I ran into an oddity, and would be interested in any comments.... I removed the Allow "Delete Subtree" permission via the GUI on an OU for a particular group, and then dumped the DACL. The output of the DACL showed that the Allow "Delete Subtree" (ADS_Right_DS_Delete_Tree) accessmask was, as expected, gone. Unexpectedly, the Allow "List Object" (ADS_Right_DS_List_Object) accessmask was also gone. Since the "List Object" permission doesn't appear in the permissions list by default, I changed the dsheuristics attribute on the cn=Directory Service,cn=Windows NT,cn=services,cn=configuration,dc=test,dc=com object. Sure enough, Allow "List Object" is unchecked. However, with "List Object" now visible in the permissions list, if I go to a different group and uncheck the "Delete Subtree" Allow permission in the GUI, it doesn't modify the "List Object" permission, and dumping the DACL confirms this. I can't see why the Delete Subtree and List Object permissions would be tied together based on the value of the dsheuristics attribute. Anyone with insight? Thanks, Hunter List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
