RE: [ActiveDir] Applying Permissions to 'cn=Schema' Container

[neil.ruston]

The Schema FSMO role object detail is stored in the fsmoRoleOwner attribute of the Schema container object. If you want to delegate the right to change the role holder, that person needs write access to that attribute and hence that object.

 

It's really that simple :)

 

Does that help?

 

neil

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ivan Levendyan
Sent: 08 November 2006 17:06
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Applying Permissions to 'cn=Schema' Container

Hi All !

 

While reading Best Practices for Delegating Active Directory Administration
(http://www.microsoft.com/downloads/details.aspx?familyid=631747a3-79e1-48fa-9730-dae7c0a1d6d3&displaylang=en, http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642&DisplayLang=en)
I can see that MSFT recommends using the following permissions while delegating 'Operation Master Roles Management':

 

Seize the Schema Master Role

WP on cn=Schema, cn=Configuration, dc=<ForestRootDomain> to modify the fSMORoleOwner attribute

Extended Right Change-Schema-Master on cn=Schema, cn=Configuration, dc=<ForestRootDomain>

 

The same thing (applying permissions to 'cn=Schema') I can see in many other recommendations there.

Why it is required to apply permissions directly to 'cn=Schema' container and are there any other solutions?

 

Thanks, Ivan.

 

 

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.