|

»

Samba - cifs-protocol

SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions

View: New views

5 Messages — Rating Filter: Alert me

	SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions by Bill Wesse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Good day Nadya (please let me know if I am using your name correctly)! I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after. 1. Why are the domain admins also provided full permissions if not needed for replication? 2. Is this for the administrative purposes only? 7.1.1.1.2 Config NC Root 7.1.1.1.3 Schema NC Root 7.1.1.1.4 Domain NC Root In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root... Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol
	Re: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions by Bill Wesse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hello again – here is a ‘short form’ answer to your questions: I confirm the Domain Administrators group is granted full permissions on the various naming contexts for the purposes of administration. For example, to restore deleted objects, as well as granting replication permissions for other accounts. I will visit this in depth, and will follow up with my findings. Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 From: Bill Wesse Sent: Tuesday, September 22, 2009 12:48 PM To: 'nadezhda.ivanova@...' Cc: 'cifs-protocol@...' Subject: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good day Nadya (please let me know if I am using your name correctly)! I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after. 1. Why are the domain admins also provided full permissions if not needed for replication? 2. Is this for the administrative purposes only? 7.1.1.1.2 Config NC Root 7.1.1.1.3 Schema NC Root 7.1.1.1.4 Domain NC Root In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root... Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol
	Re: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions by Bill Wesse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Good afternoon Nadya! I have provided below a set of links for information that pertains to Active Directory permissions. There does not appear to be a specific guide for what the default permissions on a given Active Directory object, other than the Schema documents available at the following link. Please let me know if you have any specific questions concerning these that I have not already answered. If you have no further questions, I will consider your question resolved. Using the Windows Server Protocols documentation set to better understand the Active Directory Schema http://blogs.msdn.com/openspecification/archive/2009/06/26/using-the-windows-server-protocols-documentation-set-to-better-understand-the-active-directory-schema.aspx For example, there are 232 defaultSecurityDescriptor (SDDL formatted) attributes in MS-AD_Schema_2K8_R2_Consolidated.txt (which is in the Schemas.zip attachment to the blog entry). Understanding security descriptor defaulting rules for Active Directory objects http://blogs.msdn.com/openspecification/archive/2009/08/28/understanding-security-descriptor-defaulting-rules-for-active-directory-objects.aspx Active Directory Technical Specification Control Access Rights Concordance http://blogs.msdn.com/openspecification/archive/2009/08/19/active-directory-technical-specification-control-access-rights-concordance.aspx How to Use Dsacls.exe in Windows Server 2003 and Windows 2000 http://support.microsoft.com/default.aspx/kb/281146 Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 From: Bill Wesse Sent: Tuesday, September 22, 2009 12:48 PM To: 'nadezhda.ivanova@...' Cc: 'cifs-protocol@...' Subject: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good day Nadya (please let me know if I am using your name correctly)! I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after. 1. Why are the domain admins also provided full permissions if not needed for replication? 2. Is this for the administrative purposes only? 7.1.1.1.2 Config NC Root 7.1.1.1.3 Schema NC Root 7.1.1.1.4 Domain NC Root In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root... Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol
	Re: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions by Nadezhda Ivanova-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. Hi Bill, Thanks, I will be able to review this information next week and will let you know if it is enough. Regards, Nadya From: Bill Wesse [mailto:billwe@...] Sent: Friday, September 25, 2009 9:04 PM To: Nadezhda Ivanova Cc: cifs-protocol@... Subject: RE: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good afternoon Nadya! I have provided below a set of links for information that pertains to Active Directory permissions. There does not appear to be a specific guide for what the default permissions on a given Active Directory object, other than the Schema documents available at the following link. Please let me know if you have any specific questions concerning these that I have not already answered. If you have no further questions, I will consider your question resolved. Using the Windows Server Protocols documentation set to better understand the Active Directory Schema http://blogs.msdn.com/openspecification/archive/2009/06/26/using-the-windows-server-protocols-documentation-set-to-better-understand-the-active-directory-schema.aspx For example, there are 232 defaultSecurityDescriptor (SDDL formatted) attributes in MS-AD_Schema_2K8_R2_Consolidated.txt (which is in the Schemas.zip attachment to the blog entry). Understanding security descriptor defaulting rules for Active Directory objects http://blogs.msdn.com/openspecification/archive/2009/08/28/understanding-security-descriptor-defaulting-rules-for-active-directory-objects.aspx Active Directory Technical Specification Control Access Rights Concordance http://blogs.msdn.com/openspecification/archive/2009/08/19/active-directory-technical-specification-control-access-rights-concordance.aspx How to Use Dsacls.exe in Windows Server 2003 and Windows 2000 http://support.microsoft.com/default.aspx/kb/281146 Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 From: Bill Wesse Sent: Tuesday, September 22, 2009 12:48 PM To: 'nadezhda.ivanova@...' Cc: 'cifs-protocol@...' Subject: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good day Nadya (please let me know if I am using your name correctly)! I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after. 1. Why are the domain admins also provided full permissions if not needed for replication? 2. Is this for the administrative purposes only? 7.1.1.1.2 Config NC Root 7.1.1.1.3 Schema NC Root 7.1.1.1.4 Domain NC Root In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root... Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol
	Re: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions by Bill Wesse :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Some parts of this message have been removed. Learn more about Nabble's security policy. You’re welcome – I will stand by! Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 From: Nadezhda Ivanova [mailto:nadezhda.ivanova@...] Sent: Monday, September 28, 2009 8:28 AM To: Bill Wesse Cc: cifs-protocol@... Subject: RE: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Hi Bill, Thanks, I will be able to review this information next week and will let you know if it is enough. Regards, Nadya From: Bill Wesse [mailto:billwe@...] Sent: Friday, September 25, 2009 9:04 PM To: Nadezhda Ivanova Cc: cifs-protocol@... Subject: RE: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good afternoon Nadya! I have provided below a set of links for information that pertains to Active Directory permissions. There does not appear to be a specific guide for what the default permissions on a given Active Directory object, other than the Schema documents available at the following link. Please let me know if you have any specific questions concerning these that I have not already answered. If you have no further questions, I will consider your question resolved. Using the Windows Server Protocols documentation set to better understand the Active Directory Schema http://blogs.msdn.com/openspecification/archive/2009/06/26/using-the-windows-server-protocols-documentation-set-to-better-understand-the-active-directory-schema.aspx For example, there are 232 defaultSecurityDescriptor (SDDL formatted) attributes in MS-AD_Schema_2K8_R2_Consolidated.txt (which is in the Schemas.zip attachment to the blog entry). Understanding security descriptor defaulting rules for Active Directory objects http://blogs.msdn.com/openspecification/archive/2009/08/28/understanding-security-descriptor-defaulting-rules-for-active-directory-objects.aspx Active Directory Technical Specification Control Access Rights Concordance http://blogs.msdn.com/openspecification/archive/2009/08/19/active-directory-technical-specification-control-access-rights-concordance.aspx How to Use Dsacls.exe in Windows Server 2003 and Windows 2000 http://support.microsoft.com/default.aspx/kb/281146 Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 From: Bill Wesse Sent: Tuesday, September 22, 2009 12:48 PM To: 'nadezhda.ivanova@...' Cc: 'cifs-protocol@...' Subject: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions Good day Nadya (please let me know if I am using your name correctly)! I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after. 1. Why are the domain admins also provided full permissions if not needed for replication? 2. Is this for the administrative purposes only? 7.1.1.1.2 Config NC Root 7.1.1.1.3 Schema NC Root 7.1.1.1.4 Domain NC Root In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root... Regards, Bill Wesse MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM 8055 Microsoft Way Charlotte, NC 28273 TEL: +1(980) 776-8200 CELL: +1(704) 661-5438 FAX: +1(704) 665-9606 _______________________________________________ cifs-protocol mailing list cifs-protocol@... https://lists.samba.org/mailman/listinfo/cifs-protocol