|
[Thu
04/14/2005 20:16:01.31]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1: 0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too
many errors encountered, terminating...
The
command did not complete successfully
The directory itself is purposely throwing the error. The
DSID tells you exactly where in the source the error is being thrown from and
looking at the source it is because this attribute is reserved for update.
It is however, possible to update, I will not share
that mechanism as I may get clobbered for it. You can find the mechanism in
public archives though if you look carefully...
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default
systemflags
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
Using server: 2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
1 Objects returned [Thu 04/14/2005
20:22:06.03]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command
completed successfully
[Thu 04/14/2005 20:22:52.39] F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
>systemFlags: -2147483648 1 Objects returned [Thu 04/14/2005
20:23:01.32]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags:- AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The command
completed successfully
[Thu 04/14/2005
20:23:29.92]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default systemflags AdFind
V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
Using server:
2k3dc01.joe.com
Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:OU=SysFlagsOU,OU=TestOU,DC=joe,DC=com
1 Objects returned [Thu 04/14/2005
20:23:49.17]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -exterr systemflags::2147483648 AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Modifying specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x13 (19) - Constraint Violation Extended Error: 000020B1: AtrErr: DSID-030F0C06, #1: 0: 000020B1: DSID-030F0C06, problem 1005 (CONSTRAINT_ATT_TYPE), data 0, Att 90177 (systemFlags) ERROR: Too many
errors encountered, terminating...
The command did
not complete successfully
[Thu 04/14/2005 20:24:02.09] F:\DEV\cpp\SecTok> Consider it to be like the whole "trust us, someone who can
get interactive access on your DC can take over your forest" argument. Just
because one person doesn't know how to do it doesn't mean no one else does... If
you don't trust the people who are on your DCs, you are in a very very very bad
way.
Oh yeah, but does that disallow of the delete actually
work??
[Thu 04/14/2005 20:29:59.01]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod V01.03.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
DN Count: 1
Using server: 2k3dc01.joe.com Deleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com...: [2k3dc01.joe.com] Error 0x35 (53) - Unwilling To Perform ERROR: Too many errors encountered, terminating... The
command did not complete successfully
[Thu
04/14/2005 20:30:17.96]
F:\DEV\cpp\SecTok>adfind -f name=sysflagsou -default -dsq |admod -del AdMod
V01.03.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
DN Count:
1
Using server: 2k3dc01.joe.com Deleting specified objects... DN: ou=sysflagsou,ou=testou,dc=joe,dc=com... The
command completed successfully
The answer is yes. Possibly that would be a good joeware
for sale item. ;oP
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Paul Mayes Sent: Saturday, April 09, 2005 12:21 PM To: [email protected] Subject: RE: [ActiveDir] systemFlags
Suspend all sanity for a moment. I’m not wandering down the route of trusted and untrusted administrators, that’s just how I arrived at this point. Simply I’m just curious about the possibility of modifying systemFlags. If you try through ldp or adsiedit you get errors general around the point that it’s a system attribute and you can’t modify it. Now again make sure that your sanity switch is set to 0 for this as people are now going to start asking the question why and careful because you’ll screw your AD. Well I’m wearing asbestos underpants at this point and I quite like the idea of breaking things in development. So trudging on …. For the permissions I can see that I have permissions to write the systemFlags attribute, but nothing is letting me, which I agree is quite sensible as I could be any old muppet. But what’s getting in my way, the tools, the AD itself….. something special which is hidden under the bonnet? And how do you then get around that, as I can buy a tool off the shelf that’ll do it. I’ve not yet attempted to write code to fiddle, that’ll be when I’m bored over the next few days.
From: [EMAIL PROTECTED] [mailto:[EMAIL
PROTECTED] On Behalf Of Mulnick,
Al How'd you try to edit it? And why do you let admins have rights if you can't trust them?
|
