| Author | Messages | |
rmscheck
Posts:290
 | | 06/14/2012 2:03 AM |
| Anyone know whats the meaning of the first two lines the output upon
viewing a user objects ACL?
Owner: Domain Admins
Group: Domain Users
I figure its like the NTFS owner, but I would love some clarification.
Reason being, I have a user object that shows:
Owner: Domain Admins
Group: Domain Admins
It's different and the user is not a DA.. so I'm wondering how that
happened, and how do I change it if need be?
Thanks.
List info: http://www.activedir.org/List.aspx
| | | |
| Tony
Posts:172
| | 06/14/2012 2:09 AM |
| I'm guessing the group is the Primary Group ID. Don't have access to AD right now, so can't check.
Tony
________________________________________
From: activedir-owner@xxxxxxxxxxxxxxxx [activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Rand Salazar [rmscheck08@xxxxxxxxxxxxxxxx]
Sent: Thursday, 14 June 2012 1:02 p.m.
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: [ActiveDir] DSACLS question
Anyone know whats the meaning of the first two lines the output upon
viewing a user objects ACL?
Owner: Domain Admins
Group: Domain Users
I figure its like the NTFS owner, but I would love some clarification.
Reason being, I have a user object that shows:
Owner: Domain Admins
Group: Domain Admins
It's different and the user is not a DA.. so I'm wondering how that
happened, and how do I change it if need be?
Thanks.
List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
| rmscheck
Posts:290
| | 06/14/2012 2:16 AM |
| Yea, I checked that too, unless its another attribute, but on the
Member Of tab, that problem object shows "Domain Users" for the
primary group. Hmm..
On Wed, Jun 13, 2012 at 8:05 PM, Tony Murray <tony@xxxxxxxxxxxxxxxx> wrote:
> I'm guessing the group is the Primary Group ID. Don't have access to AD right now, so can't check.
>
> Tony
>
> ________________________________________
> From: activedir-owner@xxxxxxxxxxxxxxxx [activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Rand Salazar [rmscheck08@xxxxxxxxxxxxxxxx]
> Sent: Thursday, 14 June 2012 1:02 p.m.
> To: ActiveDir@xxxxxxxxxxxxxxxx
> Subject: [ActiveDir] DSACLS question
>
> Anyone know whats the meaning of the first two lines the output upon
> viewing a user objects ACL?
>
> Owner: Domain Admins
> Group: Domain Users
>
> I figure its like the NTFS owner, but I would love some clarification.
> Reason being, I have a user object that shows:
>
> Owner: Domain Admins
> Group: Domain Admins
>
> It's different and the user is not a DA.. so I'm wondering how that
> happened, and how do I change it if need be?
>
> Thanks.
>
> List info: http://www.activedir.org/List.aspx
> List info: http://www.activedir.org/List.aspx
List info: http://www.activedir.org/List.aspx
| | | |
| adamsgreene
Posts:7
| | 06/26/2012 8:22 PM |
| Those are the OWNER and primary GROUP of the creator. The primary group is
not used. If the creator is an admin, the OWNER will be set to
Administrators, Domain Admins, Schema Admins, or Enterprise Admins,
depending on version of Windows and naming context (
http://technet.microsoft.com/en-us/library/cc772912(v=ws.10).aspx). If the
creator only has delegated access to create objects, the OWNER will show up
as the actual user account creating the object. Note that the OWNER listed
in the ntsecuritydescriptor of an object has the permission to rewrite the
ACL. This is important.
Assume a delegated admin is put into a DelegatedAdmins group which is
granted CCDC and WP on computer objects in an OU. If that admin creates an
computer, then later is removed from the DelegatedAdmins group, they will
not have any access to the computer objects in the OU. However, they will
be able to just rewrite the ACL on the computer they created and give
themselves permission. This is is even more relevant if you ever delegate
the ability to create container/OU objects (not recommended).
So if you have delegated admins that are using native tools to create
objects, you do need to cleanup the OWNER of the objects. Don't worry about
the GROUP.
Adam
On Wed, Jun 13, 2012 at 6:14 PM, Rand Salazar <rmscheck08@xxxxxxxxxxxxxxxx> wrote:
> Yea, I checked that too, unless its another attribute, but on the
> Member Of tab, that problem object shows "Domain Users" for the
> primary group. Hmm..
>
>
> On Wed, Jun 13, 2012 at 8:05 PM, Tony Murray <tony@xxxxxxxxxxxxxxxx> wrote:
> > I'm guessing the group is the Primary Group ID. Don't have access to AD
> right now, so can't check.
> >
> > Tony
> >
> > ________________________________________
> > From: activedir-owner@xxxxxxxxxxxxxxxx [
> activedir-owner@xxxxxxxxxxxxxxxx] On Behalf Of Rand Salazar [
> rmscheck08@xxxxxxxxxxxxxxxx]
> > Sent: Thursday, 14 June 2012 1:02 p.m.
> > To: ActiveDir@xxxxxxxxxxxxxxxx
> > Subject: [ActiveDir] DSACLS question
> >
> > Anyone know whats the meaning of the first two lines the output upon
> > viewing a user objects ACL?
> >
> > Owner: Domain Admins
> > Group: Domain Users
> >
> > I figure its like the NTFS owner, but I would love some clarification.
> > Reason being, I have a user object that shows:
> >
> > Owner: Domain Admins
> > Group: Domain Admins
> >
> > It's different and the user is not a DA.. so I'm wondering how that
> > happened, and how do I change it if need be?
> >
> > Thanks.
> >
> > List info: http://www.activedir.org/List.aspx
> > List info: http://www.activedir.org/List.aspx
>
> List info: http://www.activedir.org/List.aspx
>
| | | |
|
|