The 3rd bit controls the "list object" behaviour not
"list contents". The former is only available to use in an ACE if the 3rd bit is
set to 1. If it's set to 0 or "not set" then "list contents" is available but
not "list object".
This article explains further.
neil
PS I
tested this quickly and it works as described
above.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of PAUL MAYES
Sent: 14 December 2005 15:07
To: [email protected]
Subject: [ActiveDir] dsHeuristics and list object access mode
dsHeuristics can be used to control whether the 'list
contents' ACE has an affect. So if the attribute is set to 001 then this means
that if you haven't got list contents permission on a container then you can't
see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list
contents doesn't matter so much and you can see what's under a container without
explicit list contents rights just as an authenticated user.
At least this is what I've finally arrived at by reading different
contradictary sources. I'm still a bit sceptical by all of this, indeed I reckon
that somewhere along the various cut and paste jobs someone has got totally the
wrong idea. So this has all started me off doing some
experimenting.........
No matter what state the dsHeuristics attribute is set to <not set>,
000 or 001. (<not set being the equiv if
all zeros.). Removal of the list contents right stops someone looking
at what lives under the object. Likewise granting it lets whoever has the
permission go through the contents.
So I'm looking for some clarification from practical experience as I no
longer believe the spin that says you need to set dsHeuristics to 001 (or full
001000..... equivalent) to be able to effectively use or remove the 'list
contents' permission.
Does list object access mode work irrespective of the third bit of the
dsHeuristics value for other people?
If it makes no difference, as I'm seeing, what does that value actually do
as it doesn't seem to tie up with what some people are claiming?
fast environment facts:
Win2003 Ent SP1
Win2003 domain func
Win2000 forest func
dsHeuristics value fiddled with on cn=Directory Service,cn=Windows
NT,cn=Services,cn=Configuration, ...
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
