RE: [ActiveDir] hide an attribute

[Grillenmeier, Guido]

glad it helped.   some more comments inline   /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Dienstag, 6. September 2005 15:27 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] hide an attribute So if you have a mixed mode forest, what if you give perms directly to Global groups on Enterprise objects in AD and only use local groups for Domain local stuff? [Guido Grillenmeier] that's fine  or are you just supposed to rely on Auth users or Everyone for stuff like that? [Guido Grillenmeier] certainly not      What happens if your perms are checked against a GC? GC's don't know about members of LG or GG's. [Guido Grillenmeier] ofcourse they know about members of LGs and GGs - but only of their own domain ;-)  But that's not the point. Your membership in a global group is still valid when accessing data on a GC in a different domain => it's too much to explain the kerberos authentication process here in great detail, but you'd always first be authenticated against a DC of your proper domain giving you a ticket granting ticket etc. This is where you enter your username/PW to tell the system who you are - it will then validate you and see which groups you are in.  Via the trust between the domains, that authentication is also valid against the GC of the other domain, but it will generate a service ticket valid for it's domain. This service ticket won't contain the DLGs of the other domains, but it will contain the GGs of your domain, the UGs of any domain AND it will add the DLGs of it's own domain to this service ticket.   Checking the perms then is the authorization process, by which your previously generated kerberos ticket will be leveraged by the OS to check what permission you have on the resource you're trying to access.   Do your perms ever get checked against a GC btw? [Guido Grillenmeier] yes, see above   If i have RO perms on the config nc in domA and they get rep'ed to domB, is there a chance a GC from domB would be checked for perms or is it always a local DC on port 389? [Guido Grillenmeier] authentication will be a DC of your proper domain (domA) + the GC of the trusted domain (domB). authorization will be done by the resource you're accessing, which would be the GC of domB in this case.   Thanks. your explanation made sense. it helped a lot. -----Original Message----- From: Grillenmeier, Guido [mailto:[EMAIL PROTECTED] Sent: Mon 9/5/2005 2:45 PM To: ActiveDir@mail.activedir.org Cc: Subject: RE: [ActiveDir] hide an attribute