Beautiful, this is bug week....
There are actually two bugs here.
1. The inherit only check box is greyed out. This is the checkbox you would
need to check in order to specify an inherit only ACE (i.e. Child Objects
Only).
2. When you try to work around it and specify the actual object types to
inherit to it creates two ACEs instead of one. The first ACE is the FC
inherit only to the object class you specify but then there is also a FC to
the object itself. In the example below note the TEST\joe ACEs... I only
added a single FC for nTDSConnection objects for test\joe but got that AND
the non-inheritable Test\joe FC on the object itself.
G:\>dsacls "\\r2dc1\CN=NTDS
Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur
ation,DC=test,DC=loc"
Access list:
Effective Permissions on this object are:
Allow TEST\joe FULL CONTROL
Allow TEST\Domain Admins SPECIAL ACCESS
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
DELETE TREE
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow TEST\Domain Admins FULL CONTROL <Inherited from
parent>
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from
parent>
Permissions inherited to subobjects are:
Inherited to all subobjects
Allow TEST\Domain Admins FULL CONTROL <Inherited from
parent>
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from
parent>
Inherited to nTDSConnection
Allow TEST\joe FULL CONTROL
The command completed successfully
So in order to generate a generic FC that is only inherited, you can't,
because of bug 1 do it with LDP. If you want to create an ACE for a specific
objectclass (which nTDSConnection should be ok in terms of what you are
trying to delegate) it can do it but you have to go back and clean up the
the additional ACE created by bug 2.
I will alert MSFT.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Monday, July 24, 2006 8:12 AM
To: [email protected]
Subject: [ActiveDir] ldp in ADAM-SP1
All
Could someone with more experience with ldp provided with ADAM-SP1
tell me how I would go about configuring inherit-only Full Control
permissions on nTDSDSA objects in the
CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms
options is grayed out here and I dont know how to do it.
Based on joe's comments I assumed the ldp.exe's ACL editor is the most
comprehensive and capable ACL gui editor available. I must be doing
something wrong here so I would appreciate some help.
Regards
M@
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
