Yeah what I was doing was setting a FC ACE for connection objects only. If you want to cover multiple objects for this you would need to specify multiple objectclasses which would result in multiple ACEs which is not a good option. Which means, use a different tool as the bugs in the current version of LDP make that difficult for this specific task. In my tests, I was specifically using LDP from ADAM SP1. But for what you want to do, use ADUC or DSACLS.
As an aside, I emailed Matheesha directly a little while ago when my first email was lost in limbo waiting to be sent out by the list. A version of LDP that doesn't have this issue should be in Longhorn when it is released. The developer quickly fixed the first bug I mentioned this morning after I pinged him and it seems the second bug had already been corrected. This folks is the power of this list.... Take note. I am not entirely positive what the "Access system security" is supposed to be... This is not an issue in later versions of LDP... I would say read the chapters on security in the AD book, then if you don't have it, get and read Sakari's book as that has a great chapter on AD security and then finally if you still want to learn more, wander into the MSDN library and start reading about Security Descriptors, Access Control Lists, and Access Control Entries. Once you understand the structures and how they are represented a lot of the security stuff starts making more and more sense. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Monday, July 24, 2006 2:03 PM To: [email protected] Subject: Re: [ActiveDir] ldp in ADAM-SP1 Joe joe I see you were configuring Full Control (GA) for nTDSConnection objects by configuring perms on the parent nTDSDSA object. I was trying to actually configure full control to the nTDSDSA using perms on the CN=Sites object but the principal is the same I guess. The only thing is nTDSConnection objects cant have child objects can they? Still I am having some issues repro'ing. You said your workaround was to configure on the object types. Did you mean to configure explicitly on the object or on the parent with the child's object type specified in the ACE? I cant repro here and I am not sure whether you used dsacls or ldp to repro. And why does it not choose the "Access System Security" option when you edit a Full Control ACE? Is that expected? I thought full control meant everything. Not everything but "Access System Security". Also how come there is no string defined for "Access System Security"? There is for all other access masks. I freely admit I know very little in this arena. Any lesson offered is most appreciated. I am already reading technet and many books by the fine guys on here. I just havent finished them yet ;-) Thanks to everyone who's read this so far and for all the help I am offered. I truly appreciate it. Sincerely M@ On 7/24/06, joe <[EMAIL PROTECTED]> wrote: > Beautiful, this is bug week.... > > There are actually two bugs here. > > 1. The inherit only check box is greyed out. This is the checkbox you would > need to check in order to specify an inherit only ACE (i.e. Child Objects > Only). > > 2. When you try to work around it and specify the actual object types to > inherit to it creates two ACEs instead of one. The first ACE is the FC > inherit only to the object class you specify but then there is also a FC to > the object itself. In the example below note the TEST\joe ACEs... I only > added a single FC for nTDSConnection objects for test\joe but got that AND > the non-inheritable Test\joe FC on the object itself. > > > G:\>dsacls "\\r2dc1\CN=NTDS > Settings,CN=R2DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configur > ation,DC=test,DC=loc" > Access list: > Effective Permissions on this object are: > Allow TEST\joe FULL CONTROL > Allow TEST\Domain Admins SPECIAL ACCESS > DELETE > READ PERMISSONS > WRITE PERMISSIONS > CHANGE OWNERSHIP > CREATE CHILD > LIST CONTENTS > WRITE SELF > WRITE PROPERTY > READ PROPERTY > DELETE TREE > LIST OBJECT > CONTROL ACCESS > Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS > READ PERMISSONS > LIST CONTENTS > READ PROPERTY > LIST OBJECT > Allow NT AUTHORITY\SYSTEM FULL CONTROL > Allow TEST\Domain Admins FULL CONTROL <Inherited from > parent> > Allow TEST\Enterprise Admins FULL CONTROL <Inherited from > parent> > > Permissions inherited to subobjects are: > Inherited to all subobjects > Allow TEST\Domain Admins FULL CONTROL <Inherited from > parent> > Allow TEST\Enterprise Admins FULL CONTROL <Inherited from > parent> > > Inherited to nTDSConnection > Allow TEST\joe FULL CONTROL > The command completed successfully > > > > So in order to generate a generic FC that is only inherited, you can't, > because of bug 1 do it with LDP. If you want to create an ACE for a specific > objectclass (which nTDSConnection should be ok in terms of what you are > trying to delegate) it can do it but you have to go back and clean up the > the additional ACE created by bug 2. > > > I will alert MSFT. > > joe > > > > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha > Weerasinghe > Sent: Monday, July 24, 2006 8:12 AM > To: [email protected] > Subject: [ActiveDir] ldp in ADAM-SP1 > > All > > Could someone with more experience with ldp provided with ADAM-SP1 > tell me how I would go about configuring inherit-only Full Control > permissions on nTDSDSA objects in the > CN=Sites,CN=Configuration,DC=ForestFQDN ? The inherit-only perms > options is grayed out here and I dont know how to do it. > > Based on joe's comments I assumed the ldp.exe's ACL editor is the most > comprehensive and capable ACL gui editor available. I must be doing > something wrong here so I would appreciate some help. > > Regards > > M@ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
