Nope, you don't have to duck, this is not altogether well known as an issue.
The reason for creator/owner is so that you can't cut off your nose to spite your face, there is always a way out, i.e. you can't permanently lock yourself out of data, you always have a way back in via hardcoded owner functionality. The owner can always go in and rewrite the ACL on an object to allow whatever access they want. Now for issue #1. Say I want to delegate to someone the ability to create groups, computers, and OUs so they can put them in a (for them) logical hierarchy. This works great right? Well it does until they create an OU and then go into that OU and realize that now they can create an object of any type. The delegation from above is overridden because they are the creator/owner of the new OU and hence have full control over that OU allowing them to create users or print queue or contacts or whatever in the world they want to create that is allowed under an OU. Now for issue #2. Say I want to lock off a portion of some part of the AD Hierarchy from admins. You simply kick out all of the admin groups correct? Sure... Then the admin comes in, takes ownership of that entire branch and then resets the ACL to what they want. C/O isn't the only whole there of course, there is an issue with localsystem there as well but I won't get into the details. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Tuesday, August 02, 2005 2:30 PM To: [email protected] Subject: Re: [ActiveDir] Biggest AD Gripes I know I'm gonna get hell for this, but what's wrong with the creator/owner SD? I'm gonna duck in a second.... -------------------------- Sent from my BlackBerry Wireless Handheld (www.BlackBerry.net) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
