RE: [ActiveDir] ad partition rights

[Kern, Tom]

thanks. i almost lost hope on this one...   So far the best thing i've read about AD security/rights was Inside Active Directory,2nd ed. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, October 28, 2004 3:37 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] ad partition rights Another old post with no response.   Permissions in AD are a great big it depends. It depends on schema mods. It depends on what has been applied. It depends on what DCs you work against. For instance... Anything that leverages a built in account will find different Admins of different domains having different rights on different DCs of different domains. Confused? Say you have an ACE that says BUILTIN\Administrators has DELETE CHILD (any) at the root of the config container. This would mean a domain admin of domainA could go to any domainA DC and attach to the config container and delete any object. However if they attached to a domainB DC they wouldn't be able to unnless there was an ACE for DomainA\Domain Admins or DomainA\Domain Admins has been added to DomainB\Administrators. I know there are some fun examples of this in DNS partitions.   For your specific question on deleting DCs server objects from sites and services... You should find any DCs Server objects defined will have the Domain they are a member of Domain Admins Group has FC on the object and subobjects.   Basically yes you need to look at the various containers and OUs and see what is there. Looking at the perms on the schema objects will show you what they will have by default when instantiated which is handy to know as well since it overrides anything inherited.   Don't apologize for this question. Permissions are not so much as basic but CORE. The sad thing is I haven't met a lot of people who are really good with them. They are relatively complex and otherwise very bright admins will open glaring holes in AD because of not truly understanding permissioning and what they have delegated. The best practices with any ACLs (whether on AD, files, or any securable object) are to keep a minimal set of ACES in them, keep them simple, don't use DENY, properly order ACLes and don't do funny things with ordering, etc. Of course some of us use Exchange and that is just one best practice that tends to go down the drain to make that a go...   Microsoft had a great chance of making ACLing in AD really cool with property sets but they stopped a bit short of the goal. I'm sure there are some technical difficulties in there but if there weren't technical difficulties everywhere around what they do everyone would be doing it and they wouldn't be so special. :o)       joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, September 29, 2004 4:00 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] ad partition rights Ok, I’ve always been confused on this issue- It is my understanding that a domain admin only has rights on the domain naming context of his/her domain in AD and not the config or schema contexts.   If this is so, how can I delete a dc thru AD sites and Services or ntdsutil? Isn’t this in the config partition?   Is ther a good document that specicifes all the rights a domain admin has to ad as opposed to say, and enterprise admin? Or do I need to parse thru the SDDL in the Schema to find this?   Thanks. I know this is basic, so my apologies to the group.