+ Post New Thread
Results 1 to 11 of 11
Windows Thread, Permissions Inheritance in Technical; I've created a new OU under the root of the domain, in which to store some contacts I only want ...
  1. #1
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Permissions Inheritance

    I've created a new OU under the root of the domain, in which to store some contacts I only want certain users to be able to access.

    I changed the NTFS permissions of the OU to stop inheriting permissions from the parent. Then removed entries such as Authenticated Users - Read. However, when I create a new contact in the OU, it still gets an ACE for Authenticated Users - Read.

    I assume this entry is coming from some default ACL, but I don't know where?

    thanks

  2. #2

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Permissions Inheritance

    The domain controller. It's preventing you from breaking Active directory.

  3. #3

    Join Date
    Sep 2006
    Location
    Essex
    Posts
    781
    Thank Post
    1
    Thanked 32 Times in 30 Posts
    Rep Power
    24

    Re: Permissions Inheritance

    You could try adding the deny permission for the other security group

  4. #4
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Permissions Inheritance

    Quote Originally Posted by Geoff
    The domain controller. It's preventing you from breaking Active directory.
    I can manually remove the ACEs that are allocated to the objects by default, so why can I not specify this at the OU level?

    Quote Originally Posted by djm968
    You could try adding the deny permission for the other security group
    That's probably do-able, but I'd rather just allocate access to users who need it, rather than allocate to everyone then try to stop access.

    thanks

  5. #5

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Permissions Inheritance

    I can manually remove the ACEs that are allocated to the objects by default, so why can I not specify this at the OU level?
    While it (barely) makes sense to prevent AD objects from being replicated by removing read permissions from them. Preventing replication of an entire OU will cause the ntfrs service to generate replication errors.

  6. #6
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Permissions Inheritance

    Quote Originally Posted by Geoff
    I can manually remove the ACEs that are allocated to the objects by default, so why can I not specify this at the OU level?
    While it (barely) makes sense to prevent AD objects from being replicated by removing read permissions from them. Preventing replication of an entire OU will cause the ntfrs service to generate replication errors.
    My understanding was that FRS operated in the system context, is that not the case? I've found that objects without Authenticated Users-Read still replicate fine.

  7. #7

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Permissions Inheritance

    No it operates as the Network Service user. System has no access to the network.

  8. #8
    ajbritton's Avatar
    Join Date
    Jul 2005
    Location
    Wandsworth
    Posts
    1,632
    Thank Post
    23
    Thanked 75 Times in 45 Posts
    Rep Power
    34

    Re: Permissions Inheritance

    Quote Originally Posted by Geoff
    System has no access to the network.
    Not quite true, System has at least ANONYMOUS access to the network, if not EVERYONE.

  9. #9
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Permissions Inheritance

    My test contact has the following permissions set:
    Administrators: All but full control
    Domain and Enterprise Admins: Full Control
    Exchange Enterprise Servers: Special
    System: Full Control

    This object was replicated across the 3 DCs fine. Should that not be working then?

  10. #10

    Geoff's Avatar
    Join Date
    Jun 2005
    Location
    Fylde, Lancs, UK.
    Posts
    11,804
    Thank Post
    110
    Thanked 583 Times in 504 Posts
    Blog Entries
    1
    Rep Power
    224

    Re: Permissions Inheritance

    You gave Enterprise Admins Full Control.

  11. #11
    meastaugh1's Avatar
    Join Date
    Jul 2006
    Location
    London/Hertfordshire
    Posts
    890
    Thank Post
    69
    Thanked 85 Times in 70 Posts
    Rep Power
    32

    Re: Permissions Inheritance

    Ok, I removed all entries from my test contact's ACL except an administrator user, it still replicated changes made to the contact.

SHARE:
+ Post New Thread

Similar Threads

  1. permissions on /var/www
    By browolf in forum *nix
    Replies: 10
    Last Post: 11th August 2007, 05:36 PM
  2. Permissions?
    By kerrymoralee9280 in forum Windows
    Replies: 0
    Last Post: 1st August 2007, 09:25 AM
  3. User Permissions
    By stevef1 in forum Windows
    Replies: 7
    Last Post: 2nd July 2007, 03:32 PM
  4. Keep them permissions!
    By woody in forum Windows
    Replies: 5
    Last Post: 2nd August 2005, 11:15 AM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •