|
Or do it with adfind...
adfind -b dc=domain,dc=com -s base -sddc
ntsecuritydescriptor
Since Eric is interested in the SACL I expect you could
append
|grep -i "\[sacl"
to the command to have it dump just the piece he is
interested in.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Monday, July 04, 2005 1:34 PM To: [email protected] Subject: RE: [ActiveDir] Turn off an audit Can you dump the SDDL
string of the domain head security descriptor for us and share it
out? (feel free to send it
to me offline if you are more comfy that way) You can do this with
ldp or maybe dsacls (I forget if dsacls can show you the raw string or not, but
I know LDP can). ~Eric From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Brian
Desmond I
cannot remember the name of the commandline app to do this. I want to turn off
auditing of the msExchALObjectVersion attribute all together. This is set to
audit success/fail at the domain level. If I go in ADUC/ADSIEdit and look at the
domain head, that property is no where to be found in the list. If I goto some
OU, its inheriting the option to audit this property from the domain. How to
turn off? --brian |
