|
It doesn't even require that, the various builtin well
known "groups" send it for a loop. How can it possibly know when someone may be
interactive or network or what not?
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Guy Teverovsky Sent: Tuesday, June 27, 2006 8:05 PM To: [email protected] Subject: RE: [ActiveDir] Self vs. the object name / effective permissions I just call it "best
effort". It's totally ineffective over cross forest
trusts. Guy From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Without knowing the
details I would start off by saying effective permissions isn't
the greatest[1] and is very likely to be incorrect because without an
actual security token to work from on the machine that you need to know the
effective rights it is very easy to miss something and not get it right. I
don't even bother looking at effective rights ever, I look at the ACLs myself
and work it through. If you want, email me
the DSACLS dump to my home address and what isn't working and I will give you a
free opinion. :)
joe [1] I was going to say
sucks but I tried to write my own version of it once and it is really really
really hard. -- O'Reilly Active
Directory Third Edition - http://www.joeware.net/win/ad3e.htm From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Bernier, Brandon
(.) Someone came by my cube and said
they were having permission issues. They assigned Self some rights for computer
objects and in ADUC the effective permissions are correct. However, they also
did effective permissions on the name of the computer object and it has
different results….Why is this?? I know Self represents the object…so where is
it getting different permissions from? DSAcls is retrieving correct information
for me, but this seems like a bug to me. - |
Title: Self vs. the object name / effective permissions
