At least MS is continuing their work on AD permissions - even though domain + enterprise admins will remain Gods of the forest (which is certainly a reason only to have very few of them in any AD forest).
One of the issues with delegating Read-Access to Users to specific objects in AD is that they'll usually get read access to may attributes at once - either via a Security Property Set or by granting Full Control or READ right on the whole object. With SP, you at least have a new option to prevent Read access to confidential attributes, such as a Social Security number, while still allowing normal Read access to other object attributes. This is defined by setting a search flag on the the attributeSchema object those attributes which are to be treated as confidential. If set, only domain administrators can read a confidential attribute (can be delegated). I think this is a step in the right direction - but only if you have hightly trustworthy Domain Admins (but I sincerely doubt that this feature will change the way HR folks think about storing their confidential data in AD ;-) /Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Hunter, Laura E. Sent: Monday, February 07, 2005 7:46 PM To: [email protected] Subject: RE: [ActiveDir] Fun with delegated permissions. Agreed. I can't imagine a way to have that kind of "isolated OU" the way Active Directory is currently laid out - I'm seeing the words "security boundary" and "new forest" in my head before I get even three seconds into the thought. Though it would certainly solve the problem of wanting to create that type of isolation without needing to set up a separate forest (with the associated separate namespace), either for security reasons (R&D) or political (this department wants to run their own boxes) ones. Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of joe > Sent: Monday, February 07, 2005 1:36 PM > To: [email protected] > Subject: RE: [ActiveDir] Fun with delegated permissions. > > Honestly, I wouldn't mind if that nasty method was available in AD. > Then when you kicked out admins, it really meant they were kicked out. > They call that security versus false sense of security. The whole > creator/owner thing is a giant get out of jail free card but it can be > used for or against you. > > Maybe they should allow that get out of jail free, but it requires > some super duper method to do it that an admin can't go off in a > corner and quickly and easily do. > > Obviously that won't happen even in the Longhorn Time Frame as it > would require a very large change in the ACL paradigm currently in > place. > > joe > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
