[cifs-protocol] SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions

Bill Wesse billwe at microsoft.com
Fri Sep 25 12:04:01 MDT 2009 

Good afternoon Nadya!

I have provided below a set of links for information that pertains to Active Directory permissions. There does not appear to be a specific guide for what the default permissions on a given Active Directory object, other than the Schema documents available at the following link. Please let me know if you have any specific questions concerning these that I have not already answered.

If you have no further questions, I will consider your question resolved.

Using the Windows Server Protocols documentation set to better understand the Active Directory Schema
http://blogs.msdn.com/openspecification/archive/2009/06/26/using-the-windows-server-protocols-documentation-set-to-better-understand-the-active-directory-schema.aspx

For example, there are 232 defaultSecurityDescriptor (SDDL formatted) attributes in MS-AD_Schema_2K8_R2_Consolidated.txt (which is in the Schemas.zip attachment to the blog entry).

Understanding security descriptor defaulting rules for Active Directory objects
http://blogs.msdn.com/openspecification/archive/2009/08/28/understanding-security-descriptor-defaulting-rules-for-active-directory-objects.aspx

Active Directory Technical Specification Control Access Rights Concordance
http://blogs.msdn.com/openspecification/archive/2009/08/19/active-directory-technical-specification-control-access-rights-concordance.aspx

How to Use Dsacls.exe in Windows Server 2003 and Windows 2000
http://support.microsoft.com/default.aspx/kb/281146

Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

From: Bill Wesse
Sent: Tuesday, September 22, 2009 12:48 PM
To: 'nadezhda.ivanova at postpath.com'
Cc: 'cifs-protocol at samba.org'
Subject: SRX090922600157 : [MS-ADTS] 7.1.1.1 Naming Contexts Domain Admins Permissions

Good day Nadya (please let me know if I am using your name correctly)!

I have created case SRX090922600157, in order to track our work concerning your questions (shown below). Hopefully, we have not missed anything you are enquiring after.

1. Why are the domain admins also provided full permissions if not needed for replication?
2. Is this for the administrative purposes only?

7.1.1.1.2 Config NC Root
7.1.1.1.3 Schema NC Root
7.1.1.1.4 Domain NC Root
In order for D2 to replicate the NC, D2 must be granted the following rights on the NC root...


Regards,
Bill Wesse
MCSE, MCTS / Senior Escalation Engineer, US-CSS DSC PROTOCOL TEAM
8055 Microsoft Way
Charlotte, NC 28273
TEL:  +1(980) 776-8200
CELL: +1(704) 661-5438
FAX:  +1(704) 665-9606

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20090925/fda41213/attachment.html>

More information about the cifs-protocol mailing list