have you seen the following: http://www.windowsitlibrary.com/Content/667/04/2.html http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/controlling_object_visibility.asp also look at: http://www.kimberry.co.uk/Downloads/Index.aspx --> "Implementing Server Security focusing on Active Directory® - Active Directory® Security and Delegated Administration" That presentation also talks about list object mode cheers, Jorge
________________________________ From: [EMAIL PROTECTED] on behalf of PAUL MAYES Sent: Wed 12/14/2005 4:07 PM To: [email protected] Subject: [ActiveDir] dsHeuristics and list object access mode dsHeuristics can be used to control whether the 'list contents' ACE has an affect. So if the attribute is set to 001 then this means that if you haven't got list contents permission on a container then you can't see what's under it. Whereas if dsHeuristics is the equivalent of 000 then list contents doesn't matter so much and you can see what's under a container without explicit list contents rights just as an authenticated user. At least this is what I've finally arrived at by reading different contradictary sources. I'm still a bit sceptical by all of this, indeed I reckon that somewhere along the various cut and paste jobs someone has got totally the wrong idea. So this has all started me off doing some experimenting......... No matter what state the dsHeuristics attribute is set to <not set>, 000 or 001. (<not set being the equiv if all zeros.). Removal of the list contents right stops someone looking at what lives under the object. Likewise granting it lets whoever has the permission go through the contents. So I'm looking for some clarification from practical experience as I no longer believe the spin that says you need to set dsHeuristics to 001 (or full 001000..... equivalent) to be able to effectively use or remove the 'list contents' permission. Does list object access mode work irrespective of the third bit of the dsHeuristics value for other people? If it makes no difference, as I'm seeing, what does that value actually do as it doesn't seem to tie up with what some people are claiming? fast environment facts: Win2003 Ent SP1 Win2003 domain func Win2000 forest func dsHeuristics value fiddled with on cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration, ... This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<winmail.dat>>
