|
Another old post with no response.
Permissions in AD are a great big it depends. It depends on
schema mods. It depends on what has been applied. It depends on what DCs you
work against. For instance... Anything that leverages a built in account will
find different Admins of different domains having different rights on different
DCs of different domains. Confused? Say you have an ACE that says
BUILTIN\Administrators has DELETE CHILD (any) at the root of the config
container. This would mean a domain admin of domainA could go to any domainA DC
and attach to the config container and delete any object. However if they
attached to a domainB DC they wouldn't be able to unnless there was an ACE for
DomainA\Domain Admins or DomainA\Domain Admins has been added to
DomainB\Administrators. I know there are some fun examples of this in DNS
partitions.
For your specific question on deleting DCs server objects
from sites and services... You should find any DCs Server objects defined will
have the Domain they are a member of Domain Admins Group has FC on the object
and subobjects.
Basically yes you need to look at the various containers
and OUs and see what is there. Looking at the perms on the schema objects will
show you what they will have by default when instantiated which is handy to know
as well since it overrides anything inherited.
Don't apologize for this question. Permissions are not so
much as basic but CORE. The sad thing is I haven't met a lot of people who are
really good with them. They are relatively complex and otherwise very bright
admins will open glaring holes in AD because of not truly understanding
permissioning and what they have delegated. The best practices with any ACLs
(whether on AD, files, or any securable object) are to keep a minimal
set of ACES in them, keep them simple, don't use DENY, properly order ACLes
and don't do funny things with ordering, etc. Of course some of us use Exchange
and that is just one best practice that tends to go down the drain to make that
a go...
Microsoft had a great chance of making ACLing in AD really
cool with property sets but they stopped a bit short of the goal. I'm sure there
are some technical difficulties in there but if there weren't technical
difficulties everywhere around what they do everyone would be doing it and they
wouldn't be so special. :o)
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:00 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ad partition rights Ok, I’ve always been confused on
this issue- It is my understanding that a domain
admin only has rights on the domain naming context of his/her domain in AD and
not the config or schema
contexts. If this is so, how can I delete a dc
thru AD sites and Services or ntdsutil? Isn’t this in the config partition? Is ther a
good document that specicifes all the rights a domain
admin has to ad as opposed to say, and enterprise admin? Or do I need to parse
thru the SDDL in the Schema to find this? Thanks. I know this is basic, so my
apologies to the group. |
