ldap object access controls

Nadezhda Ivanova nivanova at samba.org
Fri May 4 08:38:22 UTC 2018

Hi William,
Perhaps I don't understand your question, do you mean 
nTSecurityDescriptor? To "see" it you need to be a domain admin or 
provide SD_FLAGS_CONTROL in the request. Also, it's a binary blob. I 
have forgotten if there is a samba tool to display the decoded 
descriptors, there must be. Else some of the python test code can be 

Best Regards,

On 04/18/2018 08:47 AM, William Brown via samba-technical wrote:
> Hi,
> I'm currently trying to understand the samba4/ad ldap object access
> control for search and how to manipulate these.
> Looking at various objects I can't seem to see where AD is storing the
> ACE entries, even though you can "edit" them via ADSI and the like.
> What attribute of the object are the ACE attributes stored in and how
> can I modify these via the ldap interface? Any documentation or
> references about this topic would be excellent,
> Thank you!

More information about the samba-technical mailing list