Careful Al, Do you really want to spin this discussion
up again? The last time this came up I had to create a new.pst just for
that thread ;-)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mulnick, Al
Sent: Friday, April 08, 2005 9:13 AM
To: [email protected]
Subject: RE: [ActiveDir] systemFlags
How'd you try to edit it? And why do you let admins
have rights if you can't trust them?
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: Friday, April 08, 2005 10:03 AM
To: [email protected]
Subject: [ActiveDir] systemFlags
I want to prevent a collection of administrative users from deleting
certain objects/containers etc.... now I could set up some more acl's on these
objects or I suppose that I could wander off and buy a product off the shelf to
offer that protection. But looking at it some of these products do some simple
things within the directory.
So I had a quick dig and found that in theory I could modify the
systemFlags on an object to protect it from deletion. Like the flags that are
sat on the builtin container....
1> systemFlags: 0x8C000000 = ( FLAG_DISALLOW_DELETE |
FLAG_DOMAIN_DISALLOW_RENAME | FLAG_DOMAIN_DISALLOW_MOVE );
Ahh but theory and practice become two different things. If you try and
edit this attribute then pretty much every utility throws a wobbly. So now I'm
curious... possibly a bad thing.... is there a way to actually modify the
attribute?
