What are the two basic classes of Active Directory objects

Having a good knowledge of the different Naming Contexts that Active Directory implements and how they are structured is important with respect to the origin of the GUID number contained in the ACE ObjectType property.

All Active Directory objects support a standard set of access rights, listed in Table 4.14. You can use these access rights in the ACE AccessMask of an object's security descriptor to control access at the object level. However, some objects' classes may require an access control not supported by the standard access rights. In such a case, Active Directory allows you to extend the standard access control mechanism to perform a more granular control on some Active Directory objects and attributes. An Active Directory Extended Right is an Active Directory object created from the controlAccessRight object class. All Active Directory Extended Rights are located in the “CN=Extended-Rights” container of the Active Directory Configuration naming context. To correctly decipher an ACE of an Active Directory Extended Right, we must distinguish between different Extended Rights types. The type is determined by the validAccesses attribute value defined in each controlAccessRight object created in the “CN=Extended-Rights” container. There are three Extended Rights types:

▪

The Extended Rights enforced by Active Directory: These Extended Rights are enforced by Active Directory to grant (or deny) a read or write operation to an Active Directory property set. A validAccesses attribute value of 0x30 (ADS_RIGHT_DS_READ_PROP or ADS_RIGHT_DS_WRITE_PROP) defines this type of Extended Rights. They have an ACE Type set to one of these three values: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, ADS_ACETYPE_ACCESS_DENIED_OBJECT, or ADS_ACETYPE_SYSTEM_AUDIT_OBJECT. The ACE AccessMask value is equal to a logical combination of the ADS_RIGHT_DS_READ_PROP and ADS_RIGHT_DS_WRITE flags (see Table 4.14).

▪

The Extended Rights enforced by applications: These rights are enforced by applications, which could be, for instance, Exchange 2000, Outlook 2000, or the system itself but not Active Directory. A validAccesses attribute value of 0x100 (ADS_RIGHT_DS_CONTROL_ACCESS) defines this type of Extended Rights. They have an ACE Type set to one of these three values: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, ADS_ACETYPE_ACCESS_DENIED_OBJECT, or ADS_ACETYPE_SYSTEM_AUDIT_OBJECT. They have an ACE AccessMask value equal to the ADS_RIGHT_DS_CONTROL_ACCESS flag value (see Table 4.14).

▪

The Extended Rights enforced by the system to perform extra checking: These Extended Rights are called the “Validated Writes.” These rights are used by the system to perform a value check or validation before writing a value to a property on an object. The value checking or validation goes beyond what is required by the Active Directory schema. This type of right uses a value of 0x8 (ADS_RIGHT_DS_SELF) in the validAccesses attribute. They have an ACE Type set to one of these three values: ADS_ACETYPE_ACCESS_ALLOWED_OBJECT, ADS_ACETYPE_ACCESS_DENIED_OBJECT, or ADS_ACETYPE_SYSTEM_AUDIT_OBJECT. They have an ACE AccessMask value equal to the ADS_RIGHT_DS_SELF flag value.

Figure 4.22 shows an example of the three Extended Rights types. On the left, we have the “Personal Information” right, which is enforced by Active Directory (validAccesses = 0x30). In the center, we have the “Send As” right, which is enforced by an application (validAccesses = 0x100). On the right, we have the “Add/Remove self as member” right, which is only enforced by the system itself (validAccesses = 0x08).

Figure 4.22. The Extended Rights enforced by Active Directory (left), enforced by applications (center), and enforced by the system (right).

To continue, we will use the three rights in Figure 4.22 as examples. Because rights are always related to an Active Directory object, Extended Rights have a link with the Active Directory object classes they apply to. For instance, the Extended Rights in Figure 4.22 (“Personal Information” and “Send As”) are linked with the Active Directory user class defined in the Active Directory schema, because they apply to objects created from the user class. The same rule applies for the “Add/Remove self as member” right, but it is linked with the group class. The link between the Extended right and the user class or the group class is made with an attribute available from the controlAccessRight object, called the appliesTo attribute. The appliesTo attribute may contain one or more GUID numbers, where each GUID number is the value contained in the schemaIDGUID attribute of the class that the Extended Rights relates to. For instance, the “Personal Information” Extended Right has several GUID numbers in the appliesTo attribute (Figure 4.23, left pane), where each of them is coming from the schemaIDGUID attribute of the corresponding classes (Figure 4.23, right pane) for the user class.

Figure 4.23. The applies To GUID numbers of the “Personal Information” Extended Right in liaison with the schemaIDGUID attribute of the classSchema object.

Although the format of the GUID number in the schemaIDGUID attribute is in binary, it is the same GUID number. Figure 4.24 illustrates the logic to use to convert a binary GUID number to a string GUID number and vice versa.

Figure 4.24. Converting a GUID string to a GUID number and vice versa.

If we look for the same information for the “Send As” Extended Right, we find the same type of relationship (see Figure 4.25). The same rule will apply if you look at the GUID number stored in the schemaIDGUID attribute of the group class.

Figure 4.25. The appliesTo GUID numbers of the “Send As” Extended Right in liaison with the schemaIDGUID attribute of the classSchema object.

The aim of the “Personal Information” Extended Right (and of all Extended Rights using a validAccesses attribute value equal to 0x30) is to protect some Active Directory attributes associated with the class that the Extended Right refers to. This means that a relationship between Extended Rights and some Active Directory attributes also exists. To establish the link between an Extended Right and the set of attributes it protects, an Extended Right of this type (validAccesses = 0x30) uses another GUID number, which is stored in the rightsGUID attribute of the controlAccessRight object. Any attributes that can be protected by the Extended Right refer to the Extended Right GUID number by storing the value in its attributeSecurityGUID attribute (see Figure 4.26). The attributeSecurityGUID DWORD-WORD-WORD-WORD-WORD. DWORD attribute is part of the attributeSchema object defining the attribute in the Active Directory Schema.

Figure 4.26. The attributeSecurityGUID attribute of the attributeSchema object contains the rightsGUID GUID number of the “Personal Information” Extended Right.

Finally, Figure 4.27 summarizes the links between Extended Rights (controlAccessRight), Active Directory object classes (classSchema), and attribute definitions (attributeSchema). Figure 4.27 also shows that the ACE ObjectType property of a security descriptor using an Extended Right refers to the GUID number value stored in the rightsGUID attribute of the controlAccessRight object. However, we will see later in this section that the GUID number could come from the schemaIDGUID attribute of a classSchema object. This is why we have a dashed line in Figure 4.27.

Figure 4.27. The Extended Rights attributes links.

When Extended Rights use a validAccesses attribute value of 0x100, they do not refer to any particular attribute, since this type of right is enforced at the application level, which means that it is the responsibility of the application to validate the right (i.e., Exchange 2000 and Outlook 2000 validate the “Send As” Extended Right). The last type (validAccesses = 0x8) is enforced by the system and is used to lock write operations to some Active Directory attributes (i.e., “Validated write to DNS host name” right applying to the computer class). Table 4.17 summarizes the Extended Rights names and GUID numbers available under Windows Server 2003 and Exchange 2000 SP3 with the classes and attributes they apply to.

Table 4.17. Extended Rights Available in Active Directory under Windows Server 2003 (Exchange 2000 Extended Rights Included)

Extended Right Display NameGUID number (rightsGUID)TypeRelated classesProtected attributesAccount Restrictions{4c164200-20c0-11d0-a768-00aa006e0529}0×30

inetOrgPerson

computer

user

accountExpires

msDS-User-Account-Control-Computed

pwdLastSet

userAccountControl

userParameters

Add GUID{440820ad-65b4-11d1-a3da-0000f875ae0d}0×100domainDNSAdd PF to admin group{ce4c81a8-afe6-11d2-aa04-00c04f8eedd8}0×100msExchAdminGroupAdd/Remove Replica In Domain{9923a32a-3607-11d2-b9be-0000f87a36b2}0×100domainDNSAdd/Remove self as member{bf9679c0-0de6-11d0-a285-00aa003049e2}0×8groupAdminister information store{d74a8762-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchStorageGroup

msExchServersContainer

msExchPublicMDB

msExchPseudoPFAdmin

msExchPrivateMDB

msExchPFTree

msExchOrganizationContainer

msExchExchangeServer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Allocate Rids{1abd7cf8-0a99-11d1-adbb-00c04fd8d5cd}0×100nTDSDSAAllowed to Authenticate{68b1d179-0d15-4d4f-ab71-46152e79a7bc}0×100

inetOrgPerson

user

computer

Apply Group Policy{edacfd8f-ffb3-11d1-b41d-00a0c968f939}0×100groupPolicyContainerChange Domain Master{014bf69c-7b3b-11d1-85f6-08002be74fab}0×100crossRefContainerChange Infrastructure Master{oc17b1fb-33d9-11d2-97d4-00c04fd8d5cd}0×100infrastructureUpdateChange Password{ab721a53-1e2f-11d0-9819-00aa0040529b}0×100inetOrgPerson computer userChange PDC{bae50096-4752-11d1-9052-00c04fc2d4cf}0×100domainDNSChange Rid Master{d58d5f36-0a98-11d1-adbb-00c04fd8d5cd}0×100rIDManagerChange Schema Master{e12b56b6-0a95-11d1-adbb-00c04fd8d5cd}0×100dMDCheck State Phantoms{69ae6200-7f46-11d2-b9ad-00c04f79f805}0×100nTDSDSACreate Inbound Forest Trust{e2a36dc9-ae17-47c3-b58b-be34c55ba633}0×100domainDNSCreate named properties in the information store{d74a8766-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchStorageGroup

msExchServersContainer

msExchPublicMDB

msExchPrivateMDB

msExchPFTree

msExchOrganizationContainer

msExchExchangeServer

msExchConfigurationContainer

msExchAdminGroupContainer

Create public folder{{cf0b3dc8-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchPFTree

msExchOrganizationContainer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Create top level public folder{{cf4b9d46-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchPFTree

msExchOrganizationContainer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

DNS Host Name Attributes{72e39547-7b18-11d1-adef-00c04fd8d5cd}0×30computer

dNSHostName

msDS-AdditionalDnsHostName

Do Garbage Collection{fec364e0-0a98-11d1-adbb-00c04fd8d5cd}0×100nTDSDSADomain Administer Server{ab721a52-1e2f-11d0-9819-00aa0040529b}0×100samServerDomain Password & Lockout Policies{c7407360-20bf-11d0-a768-00aa006e0529}0×30

domainDNS

domain

lockOutObservationWindow

lockoutDuration

lockoutThreshold

maxPwdAge

minPwdAge

minPwdLength

pwdHistoryLength

pwdProperties

Enable Per User Reversibly Encrypted Password{05c74c5e-4deb-43b4-bd9f-86664c2a7fd5}0×100domainDNSEnroll{0e10c968-78fb-11d2-90d4-00c04f79dc55}0×100pKICertificateTemplateEnumerate Entire SAM Domain{91d67418-0135-4acc-8d79-c08e857cfbec}0×100samServerExchange administrator{8e48d5a8-b09e-11d2-aa06-00c04f8eedd8}0×100msExchAdminGroupExchange full administrator{8e6571e0-b09e-11d2-aa06-00c04f8eedd8}0×100msExchAdminGroupExchange public folder read-only administrator{8ff1383c-b09e-11d2-aa06-00c04f8eedd8}0×100msExchAdminGroupExchange public folder service{90280e52-b09e-11d2-aa06-00c04f8eedd8}0×100msExchAdminGroupExecute Forest Update Script{2f16c4a5-b98e-432c-952a-cb388ba33f2e}0×100crossRefContainerGeneral Information{59ba2f42-79a2-11d0-9020-00c04fc2d3cf}0×30inetOrgPerson user

adminDesciption

codePage

countryCode

displayName

objects id

primaryGroupID

sAMAccountName

sAMAccountType

sDRightsEffective

showInAdvancedViewOnly

sIDHstory

uid

comment

Generate Resultant Set of Policy (Logging){b7b1b3de-ab09-4242-9e30-9980e5d322f7}0×100

domainDNS

organizabonalUnit

Generate Resultant Set of Policy (Planning){b7b1b3dd-ab09-4242-9e30-9980e5d322f7}0×100

domainDNS

organizabonalUnit

Group Membership{bc0ac240-79a9-11d0-9020-00c04fc2d4cf}0×30

inetOrgPerson

user

memberOf

member

Logon Information{5f202010-79a5-11d0-9020-00c04fc2d4cf}0×30inetOrgPerson user

badPwdCount

homeDirectory

homeDrive

lastLogoff

lastLogon

lastLogonTimestamp

logonCount

logonHours

logonWorkstation

profilePath

scriptPath

userWorkstations

Mail-enable public folder{cf899a6a-afe6-11d2-aa04-00c04f8eedd8}0×100msExchPFTree

msExchPFTree

msExchOrganizationContainer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Manage Replication Topology{1131f6ac-9c07-11d1-f79f-00c04fc2dcd2}0×100

dMD

configuration

domainDNS

Migrate SID History{ba33815a-4f93-4c76-87f3-57574bff8109}0×100domainDNSModify public folder ACL{d74a8769-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchPseudoPFAdmin

msExchPFTree

Modify public folder admin ACL{d74a876f-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchPseudoPFAdmin

msExchPFTree

msExchOrganizationContainer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Modify public folder deleted item retention{cffe6da4-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchPseudoPFAdmin

msExchPFTree

msExchAdminGroup

Modify public folder expiry{cfc7978e-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchPseudoPFAdmin

msExchPFTree

msExchAdminGroup

Modify public folder quotas{d03a086e-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchPseudoPFAdmin

msExchPFTree

msExchAdminGroup

Modify public folder replica list{d0780592-afe6-11d2-aa04-00c04f8eedd8}0×100

msExchStorageGroup

msExchServersContainer

msExchPublicMDB

msExchPseudoPFAdmin

msExchPFTree

msExchOrganizationContainer

msExchExchangeServer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Monitor Active Directory Replication{f98340fb-7c5b-4cdb-a00b-2ebdfa115a96}0×100

dMD

configuration

domainDNS

Open Address List{a1990816-4298-11d1-ade2-00c04fd8d5cd}0×100addressBookContainerOpen Connector Queue{b4e60130-df3f-11d1-9c86-006008764d0e}0×100siteOpen mail send queue{d74a8774-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchStorageGroup

msExchServersContainer

msExchPublicMDB

msExchPrivateMDB

msExchOrganizationContainer

msExchExchangeServer

msExchAdminGroupContainer

msExchAdminGroup

Other Domain Parameters (for use by SAM){b8119fd0-04f6-4762-ab7a-4986c76b3f9a}0×30domainDNS

domainReplica

forceLogoff

modifiedCount

oEMInformation

serverRole

serverState

uASCompat

Peek Computer Journal{4b6e08c3-df3c-11d1-9c86-006008764d0e}0×100mSMQConfigurationPeek Dead Letter{4b6e08c1-df3c-11d1-9c86-006008764d0e}0×100mSMQConfigurationPeek Message{06bd3201-df3e-11d1-9c86-006008764d0e}0×100mSMQQueuePersonal Information{77b5b886-944a-11d1-aebd-0000f80367c1}0×30

inetOrgPerson

computer

contact

user

streetAddress

homePostalAddress

assistant info

c facsimiteTetephoneNumber

internationalIS DNNumber

I publicDelegates

mSMQDigests mSMQSignCertificates

personalTitle

otherFacsimileTelephoneNumber

otherHomePhone

homePhone otherIpPhone

ipPhone primaryInternationalISDNNumber

otherMobile mobile

other Telephone

otherPager pager

physicalDeliveryOfficeName

thumbnailPhoto

postOfficeBox

postalAddress

postalCode

preferredDeliveryMethod

registeredAddress

st street

telephone Number

teletexTerminalIdentifier

telexNumber

primaryTelexNumber

userCert

userSharedFolder

userSharedFolderOther

userSMIMECertificate

x121Address

userCertificate

Phone and Mail Options{e45795b2-9455-11d1-aebd-0000f80367c1}0×30

inetOrgPerson

group

user

Public Information{e48d0154-bcf8-11d1-8702-00c04fb96050}0×30

inetOrgPerson

computer

user

notes

allowedAttributes

allowedAttributesEffective

allowedChildClasses

allowedChildClassesEffective

altSecurityIdentities

cn

company

department

d

escription

displayNamePrintable

division

mail

givenName

initials

legacyExchangeDN

manager

msDS-AllowedToDelega

Read metabase properties{be013017-13a1-41ad-a058-f156504cb617}0×100

msExchServersContainer

protocolCfgSharedServer

msExchOrganizationContainer

msExchExchangeServer

msExchAdminGroupContainer

msExchAdminGroup

Reanimate Tombstones{45ec5156-db7e-47bb-b53f-dbeb2d03c40f}0×100

dMD

configuration

domainDNS

Recalculate Hierarchy{0bc1554e-0a99-11d1-adbb-00c04fd8d5cd}0×100nTDSDSARecalculate Security Inheritance(62dd28a8-7f46-11d2-b9ad-00c04f79f805}0×100nTDSDSAReceive As{ab721a56-1e2f-11d0-9819-00aa0040529b}0×100

msExchServersContainer

msExchPublicMDB

protocolCfgSMTPServer

msExchPrivateMDB

msExchOrganizationContainer

mTA

msExchExchangeServer

msExchAdminGroupContainer

msExchAdminGroup

inetOrgPerson

computer

user

Receive Computer Journal{4b6e08c2-df3c-11d1-9c86-006008764d0e}0×100mSMQConfigurationReceive Dead Letter{4b6e08c0-df3c-11d1-9c86-006008764d0e}0×100mSMQConfigurationReceive Journal{06bd3203-df3e-11d1-9c86-006008764d0e}0×100mSMQQueueReceive Message{06bd3200-df3e-11d1-9c86-006008764d0e}0×100mSMQQueueRefresh Group Cache for Logons{9432c620-033c-4db7-8b58-14ef6d0bf477}0×100nTDSDSARemote Access Information{037088f8-0ae1-11d2-b422-00a0c968f939}0×30inetOrgPerson user

msNPAllowDialin

msNPCallingStationID

msRADIUSCallbackNumber

msRADIUSFramedIPAddress

msRADIUSFramedRoute

msRADIUSServiceType

totenGroups

tokenGroupsGlobalAndUniversal

tokenGroupsNoGCAcceptable

Remove PF from admin group{d0b86510-afe6-11d2-aa04-00c04f8eedd8}0×100msExchAdminGroupReplicating Directory Changes{1131f6aa-9c07-11d1-f79f-00c4fc2dcd2}0×100

dMD

configuration

domainDNS

Replicating Directory Changes All{1131f6ad-9c07-11d1-f79f-00c04fc2dcd2}0×100

dMD

configuration

domainDNS

Replication Synchronization{1131f6ab-9c07-11d1-f79f-00c04fc2dcd2}0×100

dMD

configuration

domainDNS

Reset Password{00299570-246d-11d0-a768-00aa006e0529}0×100

inetOrgPerson

computer

user

Send As{ab721a54-1e2f-11d0-9819-00aa0040529b}0×100

msExchServersContainer

msExchPublicMDB

publicFolder

protocolCfgSMTPServer

msExchPrivateMDB

msExchOrganizationContainer

mTA

msExchExchangeServer

msExchAdminGroupContainer

msExchAdminGroup

group

contact

inetOrgPerson

computer

user

Send Message{06bd3202-df3e-11d1-9c86-0060087e4d0e}0×100msMQ-Group mSMQQueueSend To{ab721a55-1e2f-11d0-9819-00aa0040529b}0×100groupUnexpire Password{ccc2dc7d-a6ad-4a7a-8846-c04e3cc53501}0×100domainDNSUpdate Password Not Required Bit{280f369c-67c7-438e-ae98-1d46f3c6f541 }0×100domainDNSUpdate Schema Cache{be2bb760-7f46-11d2-b9ad-00c04f79f805}0×100dMDValidated write to DNS host name{72e39547-7b18-11d1-adef-00c04fd8d5cd}0×8computerdNSHostName msDS-AdditionalDnsHostNameValidated write to service principal name{f3a64788-5306-11d1-a9c5-0000f80367c1}0×8computerView information store status{d74a875e-22b9-11d3-aa62-00c04f8eedd8}0×100

msExchStorageGroup

msExchServersContainer

msExchPublicMDB

msExchPseudoPFAdmin

msExchPrivateMDB

msExchPFTree

msExchOrganizationContainer

msExchExchangeServer

msExchConfigurationContainer

msExchAdminGroupContainer

msExchAdminGroup

Web Information{e45795b3-9455-11d1-aebd-0000f80367c1}0×30inetOrgPerson contact userwWWHomePage url

Each time, an “ACE” refers to an Extended Right, the ACE ObjectType GUID number must be searched in this table to find the corresponding Extended Rights name. Table 4.17 can also be used to determine which Extended Right protects a specific attribute of a specific Active Directory object. This should ease the process of determining which right must be set to secure a specific attribute. For instance, based on Table 4.17, we know that the “Personal Information” Extended Right protects the street and telephoneNumber attributes, among others.

To understand how to decipher this type of ACE, let's take examples from Figure 4.22. We see that a user called “LISSOIR Alain” is granted to read and change his personal information (left). At the same time, he is also granted the “Send As” right (center), and he can add or remove himself from the “Enterprise Admins” group.

By using the WMIManageSD.Wsf script with the following command line, deciphering this Active Directory security descriptor produces the following output:

From line 186 through 196, the “Send As” Extended Right is granted to trustee “Alain.Lissoir” as:

▪

The ACE Type has a value equal to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT (line 191).

▪

The ACE AccessMask has a value equal to ADS_RIGHT_DS_CONTROL_ACCESS ACE (line 188).

▪

The ACE ObjectType property has a GUID number corresponding to the “Send As” Extended Right (line 194). Check Table 4.17 to find the Extended Right GUID number with its corresponding display name.

In the same way, from line 197 through 208, the “Personal Information” Extended Right is granted to trustee “Alain.Lissoir” to read and write the personal information as:

▪

The ACE Type has a value equal to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT (line 203).

▪

The ACE AccessMask has a value equal to ADS_RIGHT_DS_READ_PROP + ADS_RIGHT_DS_WRITE_PROP (lines 199 and 200).

▪

The ACE ObjectType property has a GUID number corresponding to the “Personal Information” Extended Right (line 206). Check Table 4.17 to find the Extended Right GUID number with its corresponding display name.

For the “Add/Remove self as member” Extended Right, the same logic applies with different values.

From line 174 through 186, the right “Add/Remove self as member” is granted to trustee “Alain.Lissoir” as:

▪

The ACE Type has a value equal to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT (line 181).

▪

The ACE AccessMask has a value equal to ADS_RIGHT_DS_SELF (line 176).

▪

The ACE ObjectType property has a GUID number corresponding to the “Add/Remove self as member” Extended Right (line 184). Check Table 4.17 to find the Extended Right GUID number with its corresponding display name.

When the ACE AccessMask property has a value coming from a combination of the ADS_RIGHT_DS_CREATE_CHILD and ADS_RIGHT_DS_DELETE_CHILD flags, the ACE ObjectType property contains a GUID number, but it does not refer to an Extended Right. In this case, the GUID number refers to the schemaIDGUID of an Active Directory classSchema object and defines a permission that grants or denies a trustee the right to create or delete objects of the referred class type. The dashed line in Figure 4.27 represents this link. Figure 4.28 shows an example of such a right on the “CN=Users” container.

Figure 4.28. The ACE ObjectType property used to grant or deny the creation or deletion of objects from a particular class.

If we decipher the ACE, we obtain the following result:

From line 105 through 118, the right “Create/Delete POP Policy Objects” is granted to trustee “Alain.Lissoir” as:

▪

The ACE Type has a value equal to ADS_ACETYPE_ACCESS_ALLOWED_OBJECT (line 113).

▪

The ACE AccessMask has a value equal to ADS_RIGHT_DS_CREATE_CHILD + ADS_RIGHT_DS_DELETE_CHILD (lines 107 and 108).

▪

The ACE ObjectType property has a GUID number corresponding to the schemaIDGUID of a classSchema object, which is the msExchProtocolCfgPOPPolicy object class (line 116). Check Table 4.18 to find the schemaIDGUID GUID number and determine the corresponding Active Directory class.

Table 4.18. The schemaIDGUID GUID Number with iTs Class Names

Display NameObject ClassschemaIDGUID* objectsmsExchDomainContentConfig{ab3a1ad1-1df5-11d3-aa5e-00c04f8eedd8}account objectsaccount{2628a46a-a6ad-4ae0-b854-2b12d9fe6f9e}aCSPolicy objectsaCSPolicy{7f561288-5301-11d1-a9c5-0000f80367c1}aCSResourceLimits objectsaCSResourceLimits{2e899b04-2834-11d3-91d4-0000f87a57d4}aCSSubnet objectsaCSSubnet{7f561289-5301-11d1-a9c5-0000f80367c1}Active Directory Service objectsnTDS Service{19195a5f-6da0-11d0-afd3-00c04fd930c9}ADC Connection Agreement objectsmsExchConnectionAgreement{ee64c93a-a980-11d2-a9ff-00c04f8eedd8}ADC Schema Map Policy objectsmsExchSchemaMapPolicy{348af8f2-a982-11d2-a9ff-00c04f8eedd8}ADC Service objectsmsExchActiveDirectoryConnector{e605672c-a980-11d2-a9ff-00dc04f8eedd8}Address List objectsaddressBookContainer{3e74f60f-3e73-11d1-a9c0-0000f80367c1}Address Template objectsaddressTemplate{5f04250a-1262-11d0-a060-00aa006c33ed}Address Type objectsaddrType{a8df74ab-c5ea-11d1-bbcb-0080c76670c0}Addressing Policy objectsmsExchAddressingPolicy{e7211f02-a980-11d2-a9ff-00dMf8eedd8}Administrative Group objectsmsExchAdminGroup{e768a58e-a980-11d2-a9ff-00c04f8eedd8}Administrative Groups objectsmsExchAdminGroupContainer{e7a44058-a980-11d2-a9ff-00c04f8eedd8}Administrative Role objectsmsExchAdminRole{e7f2edf2-a980-11d2-a9ff-00c04f8eedd8}Advanced Security objectsmsExchAdvancedSecurityContainer{8cc8fb0e-b09e-11d2-aa06-00c04f8eedd8}applicationEntity objectsapplicationEntity{3fdfee4f-47f4-11d1-a9c3-0000f80367c1}applicationProcess objectsapplicationProcess{5fd4250b-1262-11d0-a060-00aa006c33ed}applicationSettings objectsapplicationSettings{f80acc1-56fD-11d1-a9c6-0000f80367c1}applicationSiteSettings objectsapplicationSiteSettings{19195a5c-6da0-11d0-afd3-00c04fd930c9}applicationVersion objectsapplicationVersion{ddc790ac-af4d-442a-8f0f-a1d4caa7dd92}builtinDomain objectsbuiltinDomain{bf967a81-0de6-11d0-a285-00aa003049e2}categoryRegistration objectscategoryRegistration{7d6c0e9d-7e20-11d0-afd6-00c04fd930c9}cc:Mail Connector objectsmsExchccMaiIConnector{e85710b6-a980-11d2-a9ff-00c04f8eedd8}Certificate Template objectspKICertificateTemplate{e5209ca2-3bba-11d2-90cc-00c04fd91ab1}Certification Authority objectscertificationAuthority{3fdfee50-47f4-11d1-a9c3-0000f80367c1}Chat Network objectsmsExchChatNetwork{e934cb68-a980-11d2-a9ff-00c04f8eedd8}Chat Protocol objectsmsExchChatProtocol{e9621816-a980-11d2-a9ff-00c04f8eedd8}classRegistration objectsclassRegistration{bf967a82-0de6-11d0-a285-00aa003049e2}classStore objectsclassStore{bf967a84-0de6-11d0-a285-00aa003049e2}comConnectionPoint objectscomConnectionPoint{bf967a85-0de6-11d0-a285-00aa003049e2}Computer objectscomputer{bf967a86-0de6-11d0-a285-00aa003049e2}Computer Policy objectsmsExchComputerPolicy{ed2c752c-a980-11d2-a9ff-00c04f8eedd8}Conference Site objectsmsExchConferenceSite{eddce330-a980-11d2-a9ff-00c04f8eedd8}Conference Sites objectsmsExchConferenceContainer{ed7fe77a-a980-11d2-a9ff-00c04f8eedd8}configuration objectsconfiguration{bf967a87-0de6-11d0-a285-00aa003049e2}Connection objectsnTDSConnection{19195a60-6da0-11d0-afd3-00c04fd930c9}connectionPoint objectsconnectionPoint{5cb41ecf-0e4c-11d0-a286-00aa003049e2}Connections objectsmsExchConnectors{eee325dc-a980-11d2-a9ff-00c04f8eedd8}Contact objectscontact{5cb41ed0-0e4c-11d0-a286-00aa003049e2}Container objectscontainer{bf967a8b-0de6-11d0-a285-00aa003049e2}country objectscountry{bf967a8c-0de6-11d0-a285-00aa003049e2}cRLDistributionPoint objectscRLDistributionPoint{167758ca-470-11d1-a9c3-0000f80367c1}crossRef objectscrossRef({bf967a8d-0de6-11d0-a285-00aa003049e2}crossRefContainer objectscrossRefContainer{ef9e60e0-56f7-11d1-a9c6-0000f80367c1}Data Conference Server (T.120 MCU) objectsmsExchMCU{038680ec-a981-11d2-a9ff-00c04f8eedd8}Data Conference Technology Provider (T.120 MCU) objectsmsExchMCUContainer{03aa4432-a981-11d2-a9ff-00c04f8eedd8}device objectsdevice{bf967a8e-0de6-11d0-a285-00aa003049e2}dfsConfiguration objectsdfsConfiguration{8447f9f2-1027-11d0-a05f-00aa006c33ed}dHCPCIass objectsdHCPCIass{963d2756-48be-11d1-a9c3-0000f80367c1}Directory objectsdSA{3fdfee52-47f4-11d1-a9c3-0000f80367c1}Directory Replication Connector objectsmsExchReplicationConnector{99f58682-12e8-11d3-aa58-00c04f8eedd8}Directory Synchronization objectslocalDXA{a8df74b5-c5ea-11d1-bbcb-0080c76670c0}Directory Synchronization Requestor objectsdXRequestor{a8df74ae-c5ea-11d1-bbcb-0080c76670c0}Directory Synchronization Server Connector objectsdXServerConn{a8df74af-c5ea-11d1-bbcb-0080c76670c0}Directory Synchronization Site Server objectsdXASiteServer{a8df74b0-c5ea-11d1-bbcb-0080c76670c0}Display Template objectsdisplayTemplate{5fd4250c-1262-11d0-a060-00aa006c33ed}displaySpecifier objectsdisplaySpecifier{e0fa1e8a-9b45-11d0-afdd-00c04fd930c9}dnsNode objectsdnsNode{e0fa1e8c-9b45-11d0-afad-00c04fd930c9}dnsZone objectsdnsZone{e0fe1e8b-9b45-11d0-afdd-00c04fd930c9}document objectsdocument{39bad96d-c2d6-4baf-88ab-7e4207600117}documentSeries objectsdocumentSeries{7a2be07c-302f-4b96-bc90-0795d66885f8}Domain Controller Settings objectsnTDSDSA{f0f8ffab-1191-11d0-a060-00aa006c33ed}domain objectsdomain{19195a5a-6da0-11d0-afd3-00c04fd930c9}Domain objectsdomainDNS{19195a5b-6da0-11d0-afd3-00c04fd930c9}Domain Policy objectsdomainPolicy{bf967a99-0de6-11d0-a285-00aa003049e2}domainRelatedObject objectsdomainRelatedObject{8bfd2d3d-efda-4549-852c-f85e137aedc6}dSUISettings objectsdSUISettings{09b10f14-6f93-11d2-9905-0000f87a57d4}Dynamic RAS Connector objectsrASX400Link{a8df74d4-c5ea-11d1-bbcb-0080c76670c0}dynamicObject objectsdynamicObject{66d51249-3355-4c1f-b24e-81f252aca23b}Encryption Configuration objectsencryptionCfg{a8df74b1-c5ea-11d1-bbcb-0080c76670c0}Exchange Add-In objectsaddIn{{a8df74aa-c5ea-11d1-bbcb-0080c76670c0}Exchange Admin Extension objectsadminExtension{a8df74ac-c5ea-11d1-bbcb-0080c76670c0}Exchange Configuration Container objectsmsExchConfigurationContainer{d03d6858-06f4-11d2-aa53-00c04fd7d83a}Exchange Container objectsmsExchContainer{006c91da-a981-11d2-a9ff-00c04f8eedd8}Exchange Organization objectsmsExchOrganizationContainer{366a319c-a982-11d2-a9ff-00c04f8eedd8}Exchange Policies objectsmsExchPoliciesContainer{3630f92c-a982-11d2-a9ff-00c04f8eedd8}Exchange Protocols objectsmsExchProtocolCfgProtocolContainer{90f2b634-b09e-11d2-aa06-00c04f8eedd8}Exchange Server objectsmsExchExchangeServer{01a9aa9c-a981-11d2-a9ff-00c04f8eedd8}Exchange Server Policy objectsmsExchExchangeServerPolicy{e497942f-1d42-11d3-aa5e-00c04f8eedd8}Exchange Servers objectsmsExchServersContainer{346e5cba-a982-11d2-a9ff-00c04f8eedd8}Extended Right objectscontrolAccessRight{8297931e-86d3-11d0-afda-00c04fd930c9}fileLinkTracking objectsfileLinkTracking{dd712229-10e4-11d0-a05f-00aa006c33ed}fileLinkTrackingEntry objectsfileLinkTrackingEntry{8e4eb2ed-4712-11d0-a1a0-00c04fd930c9}Foreign Security Principal objectsforeignSecurityPrincipal{89e31c12-8530-11d0-afda-00c04fd930c9}friendlyCountry objectsfriendlyCountry{c498f152-dc6b-474a-9f52-7cdba3d7d351}FRS Member objectsnTFRSMember{2a132586-9373-11d1-aebc-0000f80367c1}FRS Replica Set objectsnTFRSReplicaSet{5245803a-ca6a-11d0-afff-0000f80367c1}FRS Settings objectsnTFRSSettings{f780acc2-56f0-11d1-a9c6-0000f80367c1}FRS Subscriber objectsnTFRSSubsciber{2a132588-9373-11d1-aebc-0000f80367c1}FRS Subscriptions objectsnTFRSSubscriptions{2a132587-9373-11d1-aebc-0000f80367c1}fTDfs objectsfTDfs{8447f9f3-1027-11d0-a05f-00aa006c33ed}Gateway objectsmailGateway{a8df74b7-c5ea-11d1-bbcb-0080c76670c0}Group objectsgroup{bf967a9c-0de6-11d0-a285-00aa003049e2}groupOfNames objectsgroupOfNames{bf967a9d-0de6-11d0-a285-00aa003049e2}groupOfUniqueNames objectsgroupOfUniqueNames{0310a911-93a3-4e21-a7a3-55d85ab2c48b}groupPoticyContainer objectsgroupPolicyContainer{f30e3bc2-9ff0-11d1-b603-0000f80367c1}GroupWise Connector objectsmsExchGroupWiseConnector{91eaaac4-b09e-11d2-aa06-00c04f8eedd8}HTTP Protocol objectsmsExchProtocolCfgHTTPContainer{9432cae6-b09e-11d2-aa06-00c04f8eedd8}HTTP Virtual Directory objectsmsExchProtocolCfgHTTPVirtualDirectory{8c3c5050-b09e-11d2-aa06-00c04f8eedd8}HTTP Virtual Server objectsprotocolCfgHTTPServer{a8df74c2-c5ea-11d1-bbcb-0080c76670c0}IMAP Policy objectsmsExchProtocolCfgIMAPPolicy{35f7c0bc-a982-11d2-a9ff-00c04f8eedd8}IMAP Protocol objectsmsExchProtocolCfgIMAPContainer{93da93e4-b09e-11d2-aa06-00c04f8eedd8}IMAP Sessions objectsmsExchProtocolCfgIMAPSessions{99f58672-12e8-11d3-aa58-00c04f8eedd8}IMAP Virtual Server objectsprotocolCfgIMAPServer{a8df74c5-c5ea-11d1-bbcb-0080c76670c0}indexServerCatalog objectsindexServerCatalog{7bfdcb8a-4807-11d1-a9c3-0000f80367c1}InetOrqPerson objectsinetOrgPerson{4828cc14-1437-45bc-9b07-ad6f015e5f28}Information Store objectsmsExchInformationStore{031b371a-a981-11d2-a9ff-00c04f8eedd8}infrastrudureUpdate objectsinfrastructureUpdate{2df90d89-009f-11d2-aa4c-00c04fd7d83a}Instant Messaging Global Settings objectsmsExchIMGlobalSettingsContainer{9f116eb8-284e-11d3-aa68-00c04f8eedd8}Instant Messaging Protocol objectsmsExchProtocolCfgIMContainer{9f116ea3-284e-11d3-aa68-00c04f8eedd8}Instant Messaging Virtual Server objectsmsExchProtocotCfgIMVirtualServer{9f116eb4-284e-11d3-aa68-00c04f8eedd8}IntelliMirror Group objectsintellimirrorGroup{07383086-91df-11d1-aebc-0000f80367c1}IntelliMirror Service objectsintellimirrorSCP{07383085-91df-11d1-aebc-0000f80367c1}Internet Message Formats objectsmsExchContentConfigContainer{ab3a1ace-1df5-11d3-aa5e-00c04f8eedd8}Inter-Site Transport objectsinterSiteTransport{26d97376-6070-11d1-a9c6-0000f80367c1}Inter-Site Transports Container objectsinterSiteTransportContainer{26d97375-6070-11d1-a9c6-0000f80367c1}ipsecBase objectsipsecBase{b40ff825-427a-11d1-a9c2-0000f80367c1}ipsecFilter objectsipsecFilter{b40ff826-427a-11d1-a9c2-0000f80367c1}ipsecISAKMPPolicy objectsipsecISAKMPPolicy{b40ff828-427a-11d1-a9c2-0000f80367c1}ipsecNegotiationPolicy objectsipsecNegotiationPolicy{b40ff827-427a-11d1-a9c2-0000f80367c1}ipsecNFA objectsipsecNFA{b40ff829-427a-11d1-a9c2-0000f80367c1}ipsecPolicy objectsipsecPolicy{b7b13121-b82e-11d0-afee-0000f80367c1}Key Management Server objectsmsExchKeyManagementServer{8ce334ec-b09e-11d2-aa06-00c04f8eedd8}leaf objectsleaf{bf967a9e-0de6-11d0-a285-00aa003049e2}Licensing Site Settings objectslicensingSiteSettings{1be8f17d-a9ff-11d0-afe2-00c04fd930c9}linkTrackObjectMoveTable objectslinkTrackObjectMoveTable{ddac0cf5-af8f-11d0-afeb-00c04fd930c9}linkTrackOMTEntry objectslinkTrackOMTEntry{ddac0cf7-af8f-11d0-afeb-00c04fd930c9}linkTrackVolEntry objectslinkTrackVolEntry{ddac0cf6-af8f-11d0-afeb-00c04fd930c9}linkTrackVolumeTable objectslinkTrackVolumeTable{ddac0cf4-af8f-11d0-afeb-00c04fd930c9}locality objectslocality{bf967aa0-0de6-11d0-a285-00aa003049e2}lostAndFound objectslostAndFound{52ab8671-5709-11d1-a9c6-0000f80367c1}Mail Recipient objectsmailRecipient{bf967aa1-0de6-11d0-a285-00aa003049e2}meeting objectsmeeting{11b6cc94-48c4-11d1-a9c3-0000f80367c1}Message Delivery Configuration objectsmsExchMessageDeliveryConfig{ab3a1ad7-1df5-11d3-aa5e-00c04f8eedd8}Message Gateway for cc:Mail objectsmailConnector{a8df74b6-c5ea-11d1-bbcb-0080c76670c0}Message Transfer Agent objectsmTA{a8df74a7-c5ea-11d1-bbcb-0080c76670c0}mHSMonitoringConfig objectsmHSMonitoringConfig{a8df74bb-c5ea-11d1-bbcb-0080c76670c0}Microsoft Exchange System Objects objectsmsExchSystemObjectsContainer{0bffa04c-7d8e-44cd-968a-b2cac11d17e1}Monitoring Link Configuration objectsmHSLinkMonitoringConfig{a8df74b9-c5ea-11d1-bbcb-0080c76670c0}Monitoring Server Configuration objectsmHSServerMonitoringConfig{a8df74bd-c5ea-11d1-bbcD-0080c76670c0}msCOM-Partition objectsmsCOM-Partition{c9010e74-4e58-4917-8a89-5e3e2340fcf8}msCOM-PartitionSet objectsmsCOM-PartitionSet{250464ab-c417-497a-975a-9e0d459a7ca1}msDS-App-Configuration objectsmsDS-App-Configuration{90df3c3e-1854-4455-a5d7-cad40d56657a}msDS-AppData objectsmsDS-AppData{f9e67d761-e327-4d55-bc95-682f875e2f8e}msDS-AzAdminManager objectsmsDS-AzAdminManager{cfee1051-5f28-4bae-a863-5d0cc18a8ed1}msDS-AzApplication objectsmsDS-AzApplication{ddf8de9b-cba5-4e12-842e-28d8b66f75ec}msDS-AzOperation objectsmsDS-AzOperation{860abe37-9a9b-4fa4-b3d2-b8ace5df9ec5}msDS-AzRole objectsmsDS-AzRole{8213eac9-9d55-44dc-925c-e9a52b927644}msDS-AzScope objectsmsDS-AzScope{4feae054-ce55-47bb-860e-5b12063a51de}msDS-AzTask objectsmsDS-AzTask{1ed3a473-9b1b-418a-bfa0-3a37b95a5306}msExchAddressListServiceContainer objectsmsExchAddressListServiceContainer{b1fce95a-1d44-11d3-aa5e-00c04f8eedd8}msExchBaseClass objectsmsExchBaseClass{d8782c34-46ca-11d3-aa72-00c04f8eedd8}msExchCalendarConnector objectsmsExchCalendarConnector{922180da-b09e-11d2-aa06-00c04f8eedd8}msExchCertificateInformation objectsmsExchCertificateInformation{e8977034-a980-11d2-a9ff-00c04f8eedd8}msExchChatBan objectsmsExchChatBan{e8d0a8a4-a980-11d2-a9ff-00c04f8eedd8}msExchChatChannel objectsmsExchChatChannel{e902ba06-a980-11d2-a9ff-00c04f8eedd8}msExchChatUserClass objectsmsExchChatUserClass{e9a0153a-a980-11d2-a9ff-00c04f8eedd8}msExchConnector objectsmsExchConnector{89652316-b09e-11d2-aa06-00c04f8eedd8}msExchCTP objectsmsExchCTP{00aa8efe-a981-11d2-a9ff-00c04f8eedd8}msExchCustomAttributes objectsmsExchCustomAttributes{00e629c8-a981-11d2-a9ff-00c04f8eedd8}msExchDynamicDistributionList objectsmsExchDynamicDistributionList{018849b0-a981-11d2-a9ff-00c04f8eedd8}msExchGenericPolicy objectsmsExchGenericPolicy{e32977cd-1d31-11d3-aa5e-00c04f8eedd8}msExchGenericPolicyContainer objectsmsExchGenericPolicyContainer{e32977c3-1d31-11d3-aa5e-00c04f8eedd8}msExchIMFirewall objectsmsExchIMFirewall{9f116ebe-284e-11d3-aa68-00c04f8eedd8}msExchIMRecipient objectsmsExchIMRecipient{028502f4-a981-11d2-a9ff-00c04f8eedd8}msExchMailboxManagerPolicy objectsmsExchMailboxManagerPolicy{36f94fcc-ebbb-4a32-b721-1cae42b2dbab}msExchMailStorage objectsmsExchMailStorage{03652000-a981-11d2-a9ff-00c04f8eedd8}msExchMDB objectsmsExchMDB{03d069d2-a981-11d2-a9ff-00c04f8eedd8}msExchMonitorsContainer objectsmsExchMonitorsContainer{03f68f72-a981-11d2-a9ff-00c04f8eedd8}msExchMultiMediaUser objectsmsExchMultiMediaUser{1529cf7a-2fdb-11d3-aa6d-00c04f8eedd8}msExchOVVMConnector objectsmsExchOVVMConnector{91ce0e8c-b09e-11d2-aa06-00c04f8eedd8}msExchPrivateMDBProxy objectsmsExchPrivateMDBProxy{b8d47e54-4b78-11d3-aa75-00c04f8eedd8}msExchProtocolCfgHTTPFilter objectsmsExchProtocolCfgHTTPFilter{8c7588c0-b09e-11d2-aa06-00c04f8eedd8}msExchProtocolCfgHTTPFilters objectsmsExchProtocolCfgHTTPFilters{8c58ec88-b09e-11d2-aa06-00c04f8eedd8}msExchProtocolCfgIM objectsmsExchProtocolCfgIM{9f116ea7-284e-11d3-aa68-00c04f8eedd8}msExchProtocolCfgSharedContainer objectsmsExchProtocolCfgSharedContainer{939ef91a-b09e-11d2-aa06-00c04f8eedd8}msExchProtocolCfgSMTPIPAddress objectsmsExchProtocolCfgSMTPIPAddress{8b7b31d6-b09e-11d2-aa06-00c04f8eedd8}msExchProtocolCfgSMTPPAddressContainer objectsmsExchProtocolCfgSMTPPAddressContainer{8b2c843c-b09e-11d2-aa06-00c04f8eedd8}msExchPseudoPF objectsmsExchPseudoPF{cec4472b-22ae-11d3-aa62-00c04f8eedd8}msExchPseudoPFAdmin objectsmsExchPseudoPFAdmin{9ae2fa1b-22b0-11d3-aa62-00c04f8eedd8}msExchPublicFolderTreeContainer objectsmsExchPublicFolderTreeContainer{3582ed82-a982-11d2-a9ff-00c04f8eedd8}msExchSNADSConnector objectsmsExchSNADSConnector{91b17254-b09e-11d2-aa06-00c04f8eedd8}msieee80211-Policy objectsmsieee80211-Policy{7b9a2d92-b7eb-4382-9772-c3e0f9baaf94}MSMail Connector objectsmSMailConnector{a8df74be-c5ea-11d1-bbcb-0080c76670c0}MSMQ Configuration objectsmSMQConfiguration{9a0dc344-c100-11d1-bbc5-0080c75670c0}MSMQ Enterprise objectsmSMQEnterpriseSettings{9a0dc345-c100-11d1-bbc5-0080c76670c0}MSMQ Group objectsmsMQ-Group{46b27aac-aafa-4ffb-b773-e5bf621ee87b}MSMQ Queue Alias objectsmsMQ-Custom-Recipient{876d6817-35cc-436c-acea-5ef7174dd9be}MSMQ Queue objectsmSMQQueue{9a0dc343-c100-11d1-bbc5-0080c76670c0}MSMQ Routing Link objectsmSMQSiteLink{9a0dc346-c100-11d1-bbc5-0080c76670c0}MSMQ Settings objectsmSMQSettings{9a0dc347-c100-11d1-bbc5-0080c76670c0}MSMQ Upgraded User objectsmSMQMigratedUser{50776997-3c3d-11d2-90cc-00c04fd91ab1}msPKI-Enterprise-Oid objectsmsPKI-Enterprise-Oid{37cfd85c-6719-4ad8-8f9e-8678ba627563}msPKI-Key-Recovery-Agent objectsmsPKI-Key-Recovery-Agent{26ccf238-a08e-4b86-9a82-a8c9ac7ee5cb}msPKI-PrivateKeyRecoveryAgent objectsmsPKI-PrivateKeyRecoveryAgent{1562a632-44b9-4a7e-a2d3-e426c96a3acc}mS-SQL-OLAPCube objectsmS-SQL-OLAPCube{09f0506a-cd28-11d2-9993-0000f87a57d4}mS-SQL-OLAPDatabase objectsmS-SQL-OLAPDatabase{20af031a-ccef-11d2-9993-0000f87a57d4}mS-SQL-OLAPServer objectsmS-SQL-OLAPServer{0c7e18ea-ccef-11d2-9993-0000f87a57d4}mS-SQL-SQLDatabase objectsmS-SQL-SQLDatabase{1d08694a-ccef-11d2-9993-0000f87a57d4}mS-SQL-SQLPublication objectsmS-SQL-SQLPublication{17c2f64e-ccef-11d2-9993-0000f87a57d4}mS-SQL-SQLRepository objectsmS-SQL-SQLRepository{11d43c5c-ccef-11d2-9993-0000f87a57d4}mS-SQL-SQLServer objectsmS-SQL-SQLServer{05f6c878-ccef-11d2-9993-0000f87a57d4}msTAPI-RtConference objectsmsTAPI-RtConference{ca7b9735-4b2a-4e49-89c3-99025334dc94}msTAPI-RtPerson objectsmsTAPI-RtPerson{53ea1cb5-b704-4df9-818f-5cb4ec86cac1}msWMI-IntRangeParam objectsmsWMI-IntRangeParam{50ca5d7d-5c8b-4ef3-b9df-5b66d491e526}msWMI-IntSetParam objectsmsWMI-IntSetParam{292f0d9a-cf76-42b0-841f-b650f331df62}msWMI-MergeablePolicyTemplate objectsmsWMI-MergeablePolicyTemplate{07502414-fdca-4851-b04a-13645b11d226}msWMI-ObjectEncoding objectsmsWMI-ObjectEncoding{55dd81c9-c312-41f9-a84d-c6adbdf1e8e1}msWMI-PolicyTemplate objectsmsWMI-PolicyTemplate{e2bc80f1-244a-4d59-acc6-ca5c4f82e6e1}msWMI-PolicyType objectsmsWMI-PolicyType{595b2613-4109-4e77-9013-a3bb4ef277c7}msWMI-RangeParam objectsmsWMI-RangeParam{45fb5a57-5018-4d0f-9056-997c8c9122d9}msWMI-RealRangeParam objectsmsWMI-RealRangeParam{6afe8fe2-70bc-4cce-b166-a96f7359c514}msWMI-Rule objectsmsWMI-Rule{3c7e6f83-dd0e-481b-a0c2-74cd96ef2a66}msWMI-ShadowObject objectsmsWMI-ShadowObject{f1e44bdf-8dd3-4235-9c86-f91f31f5b569}msWMI-SimplePolicyTemplate objectsmsWMI-SimplePolicyTemplate{6cc8b2b5-12df-44f6-8307-e74f5cdee369}msWMI-Som objectsmsWMI-Som{ab857078-0142-4406-945b-34c9b6b13372}msWMI-StringSetParam objectsmsWMI-StringSetParam{0bc579a2-1da7-4cea-b699-807f3b9d63a4}msWMI-UintRangeParam objectsmsWMI-UintRangeParam{d9a799b2-cef3-48b3-b5ad-fb85f8dd3214}msWMI-UintSetParam objectsmsWMI-UintSetParam{8f4beb31-4e19-46f5-932e-5fa03c339b1d}msWMI-UnknownRangeParam objectsmsWMI-UnknownRangeParam{b82ac26b-c6db-4098-92c6-49c18a3336e1}msWMI-WMIGPO objectsmsWMI-WMIGPO{05630000-3927-4ede-bf27-ca91f275c26f}NNTP Protocol objectsmsExchProtocolCfgrNNPContainer{94162eae-b09e-11d2-aa06-00c04f8eedd8}NNTP Virtual Server objectsprotocolCfgNNTPServer{a8df74cb-c5ea-11d1-bbcb-0080c76670c0}Notes Connector objectsmsExchNotesConnector{04c85e62-a981-11d2-a9ff-00c04f8eedd8}Offline Address List objectsmsExchOAB{3686cdd4-a982-11d2-a9ff-00c04f8eedd8}organization objectsorganization{bf967aa3-0de6-11d0-a285-00aa003049e2}Organizational Unit objectsorganizational Unit{bf967aa5-0de6-11d0-a285-00aa003049e2}organizationalPerson objectsorganizationalPerson{bf967aa4-0de6-11d0-a285-00aa003049e2}organizationalRole objectsorganizational Role{a8df74bf-c5ea-11d1-bbcb-0080c76670c0}packageRegistration objectspackageRegistration{bf967aa6-0de6-11d0-a285-00aa003049e2}person objectsperson{bf967aa7-0de6-11d0-a285-00aa003049e2}physicalLocation objectsphysicalLocation{b7b13122-b82e-11d0-afee-0000f80367c1}pKIEnrollmentService objectspKIEnrollmentService{ee4aa692-3bba-11d2-90cc-00c04fd91ab1}POP Policy objectsmsExchProtocolCfgPOPPolicy{35be884c-a982-11d2-a9ff-00c04f8eedd8}POP Protocol objectsmsExchProtocolCfgPOPContainer{93f99276-b09e-11d2-aa06-00c04f8eedd8}POP Sessions objectsmsExchProtocolCfgPOPSessions{99f58676-12e8-11d3-aa58-00c04f8eedd8}POP Virtual Server objectsprotocolCfgPOPServer{a8df74ce-c5ea-11d1-bbcb-0080c76670c0}Printer objectsprintQueue{bf967aa8-0de6-11d0-a285-00aa003049e2}Private Information Store objectsmsExchPrivateMDB{36145cf4-a982-11d2-a9ff-00c04f8eedd8}Private Information Store Policy objectsmsExchPrivateMDBPolicy{35db2484-a982-11d2-a9ff-00c04f8eedd8}protocolCfg objectsprotocolCfg{a8df74c0-c5ea-11d1-bbcb-0080c76670c0}protocolCfgKTTP objectsprotocolCfgHTTP{a8df74c1-c5ea-11d1-bbcb-0080c76670c0}protocolCfgIMAP objectsprotocolCfgIMAP{a8df74c4-c5ea-11d1-bbcb-0080c76670c0}protocolCfgLDAP objectsprotocolCfgLDAP{a8df74c7-c5ea-11d1-bbcb-0080c76670c0}protocolCfgNNTP objectsprotocolCfgNNTP{a8df74ca-c5ea-11d1-bbcb-0080c76670c0}protocolCfgPOP objectsprotocolCfgPOP{a8df74cd-c5ea-11d1-bbcb-0080c76670c0}protocolCfgShared objectsprotocolCfgShared{a8df74d0-c5ea-11d1-bbcb-0080c76670c0}protocolCfgSMTP objectsprotocolCfgSMTP{33f98980-a982-11d2-a9ff-00c04f8eedd8}Public Folder objectspublicFolder{f0f8ffac-1191-11d0-a060-00aa006c33ed}Public Folder Top Level Hierarchy objectsmsExehPFTree{364d9564-a982-11d2-a9ff-00c04f8eedd8}Public Information Store objectsmsExchPublicMDB{3568b3a4-a982-11d2-a9ff-00c04f8eedd8}Public Information Store Policy objectsmsExchPublicMDBPolicy{354c176c-a982-11d2-a9ff-00c04f8eedd8}Query Policy objectsqueryPolicy{83cc7075-cca7-11d0-afff-0000f80367c1}RAS MTA Transport Stack objectsrASStack{a8df74d3-c5ea-11d1-bbcb-0080c76670c0}Recipient Policies objectsmsExchRecipientPolicyContainer{e32977d2-1d31-11d3-aa5e-00c04f8eedd8}Recipient Policy objectsmsExchRecipientPolicy{e32977d8-1d31-11d3-aa5e-00c04f8eedd8}Recipient Update Service objectsmsExchAddressListService{e6a2c260-a980-11d2-a9ff-00c04f8eedd8}Remote Storage Service objectsremoteStorageServicePoint{2a39c5bd-8960-11d1-aebc-0000f80367c1}remoteDXA objectsremoteDXA{a8df74d5-c5ea-11d1-bbcb-0080c76670c0}remoteMailRecipient objectsremoteMailRecipient{bf967aa9-0de6-11d0-a285-00aa003049e2}Replication Connectors objectsmsExchReplicationConnectorContainer{99f5867e-12e8-11d3-aa58-00c04f8eedd8}residentialPerson objectsresidentialPerson{a8df74d6-c5ea-11d1-bbcb-0080c76670c0}rFC822LocalPart objectsrFC822LocalPart{b93e3a78-cbae-485e-a07b-5ef4ae505686}rIDManager objectsrIDManager{6617188d-8f3c-11d0-afda-00c04fd930c9}rIDSet objectsrIDSet{7bfdcb89-4807-11d1-a9c3-0000f80367c1}room objectsroom{7860e5d2-c8b0-4cbb-bd45-d9455beb9206}Routing Group Connector objectsmsExchRoutingGroupConnector{899e5b86-b09e-11d2-aa06-00c04f8eedd8}Routing Group objectsmsExchRoutingGroup{35154156-a982-11d2-a9ff-00c04f8eedd8}Routing Groups objectsmsExchRoutingGroupContainer{34de6b40-a982-11d2-a9ff-00c04f8eedd8}RPC Services objectsrpcContainer{80212842-4bdc-11d1-a9c4-0000f80367c1}rpcEntry objectsrpcEntry{bf967aac-0de6-11d0-a285-00aa003049e2}rpcGroup objectsrpcGroup{88611bdf-8cf4-11d0-afda-00c04fd930c9}rpcProfile objectsrpcProfile{88611be1-8cf4-11d0-afda-00c04fd930c9}rpcProfileElement objectsrpcProfileElement{f29653cf-7ad0-11d0-afd6-00c04fd930c9}rpcServer objectsrpcServer{88611be0-8cM-11d0-afda-00c04fd930c9}rpcServerElement objectsrpcServerElement{f29653d0-7ad0-11d0-afd6-00c04fd930c9}rRASAdministrationConnectionPoint objectsrRASAdministrationConnectionPoint{2a39c5be-8960-11d1-aebc-0000f80367c1}rRASAdministrationDictionary objectsrRASAdministrationDictionary{f39b98ae-938d-11d1-aebd-0000f80367c1}samDomain objectssamDomain{bf967a90-0de6-11d0-a285-00aa003049e2}samDomainBase objectssamDomainBase{bf967a91-0de6-11d0-a285-00aa003049e2}samServer objectssamServer{bf967aad-0de6-11d0-a285-00aa003049e2}Schedule+ Free/Busy Connector objectsmsExchSchedulePlusConnector{fb1fce946-1d44-11d3-aa5e-00c04f8eedd8}Schema Attribute objectsattributeSchema{bf967a80-0de6-11d0-a285-00aa003049e2}Schema Container objectsdMD{bf967a8f-0de6-11d0-a285-00aa003049e2}Schema Object objectsclassSchema{bf967a83-0de&-11d0-a285-00aa003049e2}secret objectssecret{bf967aae-0de6-11d0-a285-00aa003049e2}securityObject objectssecurityObject{bf967aaf-0de6-11d0-a285-00aa003049e2}securityPrincipal objectssecurityPrincipal{fbf967ab0-0de6-11d0-a285-00aa003049e2}Server LDAP Protocol objectsprotocolCfgLDAPServer{a8df74c8-c5ea-11d1-bbcb-0080c76670c0}Server objectsserver{bf967a92-0de6-11d0-a285-00aa003049e2}Server Protocols objectsprotocolCfgSharedServer{a8df74d1-c5ea-11d1-bbcb-0080c76670c0}Servers Container objectsserversContainer{f780acc0-56f0-11d1-a9c6-0000f80367c1}Service objectsserviceAdministrationPoint{b7b13123-b82e-11d0-afee-0000f80367c1}serviceClass objectsserviceClass{bf967ab1-0de6-11d0-a285-00aa003049e2}serviceConnectionPoint objectsserviceConnectionPoint{28630ec1-41d5-11d1-a9c1-0000f80367c1}serviceInstance objectsserviceInstance{bf967ab2-0de6-11d0-a285-00aa003049e2}Shared Folder objectsvolume{bf967abb-0de6-11d0-a285-00aa003049e2}simpleSecurityObject objectssimpleSecurityObject{5fe69b0b-e146-4f15-b0ab-c1e5d488e094}Site Addressing objectssiteAddressing{a8df74d9-c5ea-11d1-bbcb-0080c76670c0}Site Connector objectssiteConnector{a8df74da-c5ea-11d1-bbcb-0080c76670c0}Site HTTP Protocol objectsprotocolCfgHTTPSite{fa8df74c3-c5ea-11d1-bbcb-0080c76670c0}Site IMAP Protocol objectsprotocolCfgIMAPSite{a8df74c6-c5ea-11d1-bbcb-0080c76670c0}Site LDAP Protocol objectsprotocolCfgLDAPSite{a8df74c9-c5ea-11d1-bbcb-0080c76670c0}Site Link Bridge objectssiteLinkBridge{d50c2cdf-8951-11d1-aebc-0000f80367c1}Site Link objectssiteLink{d50c2cde-8951-11d1-aebc-0000f80367c1}Site MTA Configuration objectsmTACfg{a8df74a8-c5ea-11d1-bbcb-0080c76670c0}Site NNTP Protocol objectsprotocolCfgNNTPSite{a8df74cc-c5ea-11d1-bbcb-0080c76670c0}Site objectssite{bf967ab3-0de6-11d0-a285-00aa003049e2}Site POP Protocol objectsprotocolCfgPOPSite{a8df74cf-c5ea-11d1-bbcb-0080c76670c0}Site Protocols objectsprotocolCfgSharedSite{a8df74d2-c5ea-11d1-bbcb-0080c76670c0}Site Replication Service objectsmsExchSiteReplicatJonService{99f5867b-12e8-11d3-aa58-00c04f8eedd8}Site Settings objectsnTDSSiteSettings{19195a5d-6da0-11d0-afd3-00c04fd930c9}Site SMTP Protocol objectsprotocolCfgSMTPSite{32f0e47a-a982-11d2-a9ff-00c04f8eedd8}Sites Container objectssitesContainer{7a4117da-cd67-11d0-afff-0000f80367c1}SMTP Connector objectsmsExchRoutingSMTPConnector{89baf7be-b09e-11d2-aa06-00c04f8eedd8}SMTP Domain objectsprotocolCfgSMTPDomain{33d82894-a982-11d2-a9ff-00c04f8eedd8}SMTP Domains objectsprotocolCfgSMTPDomainContainer{33bb8c5c-a982-11d2-a9ff-00c04f8eedd8}SMTP Policy objectsmsExchProtocolCfgSMTPPolicy{359f89ba-a982-11d2-a9ff-00c04f8eedd8}SMTP Protocol objectsmsExchProtocolCfgSMTPContainer{93bb9552-b09e-11d2-aa06-00c04f8eedd8}SMTP Routing Sources objectsprotocolCfqSMTPRoutingSources{3397c916-a982-11d2-a9ff-00c04f8eedd8}SMTP Sessions objectsprotocolCfgSMTPSessions{8ef628c6-b093-11d2-aa06-00c04f8eedd8}SMTP Turf List objectsmsExchSMTPTurfList{0b836da5-3b20-11d3-aa6f-00c04f8eedd8}SMTP Virtual Server objectsprotocolCfgSMTPServer{3378ca84-a982-11d2-a9ff-00c04f8eedd8}Storage Group objectsmsExchStorageGroup{3435244a-a982-11d2-a9ff-00c04f8eedd8}storage objectsstorage{bf967ab5-0de6-11d0-a285-00aa003049e2}Subnet objectssubnet{b7b13124-b82e-11d0-afee-0000f80367c1}Subnets Container objectssubnetContainer{b7b13125-b82e-11d0-afee-0000f80367c1}subschema objectssubschema{5a8b3261-c38d-11d1-bbc9-0080c76670c0}System Attendant objectsexchangeAdminService{a8df74b2-c5ea-11d1-bbcb-0080c76670c0}System Policies objectsmsExchSystemPolicyContainer{32412a7a-22af-479c-a444-624c0137122e}System Policy objectsmsExchSystemPolicy{ba085a33-8807-4c6c-9522-2cf5a2a5e9c2}TCP (RFC1006) MTA Transport Stack objectsrFC1006Stack{a8df74d7-c5ea-11d1-bbcb-0080c76670c0}TCP (RFC1006) X.400 Connector objectsrFC1006×400Link{a8df74d8-c5ea-11d1-bbcb-0080c76670c0}top objectstop{bf967ab7-0de6-11d0-a285-00aa003049e2}TP4 MTA Transport Stack objectstP4Stack{a8df74db-c5ea-11d1-bbcb-0080c76670c0}TP4 X.400 Connector objectstP4×400Link{a8df74dc-c5ea-11d1-bbcb-0080c76670c0}transportStack objectstransportStack{a8df74dd-c5ea-11d1-bbcb-0080c76670c0}Trusted Domain objectstrustedDomain{bf967ab8-0de6-11d0-a285-00aa003049e2}typeLibrary objectstypeLibrary{281416e2-1968-11d0-a28f-00aa003049e2}User objectsuser{bf967aba-0de6-11d0-a285-00aa003049e2}Video Conference Technology Provider objectsmsExchIpConfContainer{99f5866d-12e8-11d3-aa58-00c04f8eedd8}Virtual Chat Network objectsmsExchChatVirtualNetwork{ea5ed15a-a980-11d2-a9ff-00c04f8eedd8}X.25 MTA Transport Stack objectsx25Stack{a8df74de-c5ea-11d1-bbcb-0080c76670c0}X.25 X.400 Connector objectsx25×400Link{a8df74df-c5ea-11d1-bbcb-0080c76670c0}x400Link objectsx400Link{a8df74e0-c5ea-11d1-bbcb-0080c76670c0}

Because ACE ObjectType deciphering logic could be confusing, Table 4.19 summarizes the logic to follow to decipher this property.

Table 4.19. Summary of the GUID Number Origins for the ACE Object Type Property

(1) See table 4.17 for righsGUID attribute values of the controlAccessRight objects.

(2) See table 4.18 for schemaIDGUID attribute values of the classSchema objects.

The table must be read from left to right, column by column. For instance, it should be read as follows:

When the ACE Type property contains one of the values listed below … (column 1)

… and if the “ACE AccessMask” property contains … (column 2)

… then is that an Extended Right? (column 3)

Yes!

In such a case, the GUID number in the ACE ObjectType value refers … (column 4)

the GUID number from the rightsGUID attribute of the controlAccessRight object,

… which contains a validAccesses value of … (column 5)

To customize the three Extended Rights samples shown in Figure 4.22, the following command lines must be used:

▪

For the “Personal Information” Extended Right:

▪

For the “Send As” Extended Right:

▪

For the “Add/Remove self as member” Extended Right:

To customize the ACE inheritance shown in Figure 4.28 (“The ACE ObjectType property used to grant or deny the creation or deletion of objects from a particular class”), the following command line must be used:

Since we manipulate a security descriptor coming from Active Directory, the ADSI security descriptor access method is used. The /ADSI+ switch is specified for every command line. Note that the WMI access method can also be used for this example, since we manage the DACL of the security descriptor. However, as we have seen in section 4.4.4 (“Which access technique to use? Which security descriptor representation do we obtain?”), the SACL access of an Active Directory security descriptor via WMI is not supported.

The command-line input is always based on the various deciphering outputs previously seen and the content of:

▪

Table 4.14, “The Active Directory Object ACE AccessMask Values—Standard View”

▪

Table 4.15, “The Active Directory Object ACE AccessMask Values—Advanced View”

▪

Table 4.16, “The Active Directory Objects ACE Flags Values”

▪

Table 4.17, “Extended Rights Available in Active Directory under Windows Server 2003 (Exchange 2000 Extended Rights Included)”

▪

Table 4.18, “The schemaIDGUID GUID Number with Its Class Names”

▪

Table 4.19, “Summary of the GUID Number Origins for the ACE ObjectType Property”

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781555582999500100

Security Guidance for Citrix XenApp Server

Tariq Bin Azad, in Securing Citrix Presentation Server in the Enterprise, 2008

Organizational Units

To organize Active Directory objects within this single domain, organizational units can be used. Organizational units (OUs) are containers that allow you to store users, computers, groups, and other OUs. By placing objects in different organizational units, you can design the layout of Active Directory to take the same shape as your company's logical structure, without creating separate domains. As shown in Figure 5.3, you can create OUs for different areas of your business, such as departments, functions, or locations. The users, computers, and groups relating to each area can then be stored inside the OU, so that you can find and manage them as a single unit.

Figure 5.3. Organization Units Can Contain Other Active Directory Objects

Organizational units are the smallest Active Directory unit to which you can delegate administrative authority. When you delegate authority, you give specific users or groups the ability to manage the users and resources in an OU. For example, you can give the manager of a department the ability to administer users within that department, thereby alleviating the need for you (the network administrator) to do it.

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492812000056

Microsoft Windows Server 2008

Aaron Tiensivu, in Securing Windows Server 2008, 2008

Configuring a Fine-Grain Password Policy

Two new Active Directory object classes have been added to the Active Directory schema to support fine-grain policies. Policies are configured under a Password Settings Container (PSC). The actual policy objects themselves are called Password Settings objects (PSO). Creating a PSO involves using a lower-level Active Directory editing tool than you might be familiar with. There are two ways to do it. One is with the ADSI Edit graphics utility. The other is by using ldifde to script the operation at the command line. In this chapter, we'll be using ADSI Edit:

1

Open ADSI Edit by clicking Start | Run and type in adsiedit.msc.

2

Right-click on the ADSI Edit node in the leftmost pane and click Connect to. (See Figure 3.6.)

Figure 3.6. Bringing Up the Connections Settings Dialog

3

Accept the default naming context which appears in the Name: text box or type in the fully qualified domain name (FQDN) of the domain you want to use. Click OK. (See Figure 3.7.)

Figure 3.7. The Name: Text Box

4

Expand the Default naming context node (if present), rxpand your DC=DomainName node (here, DC=syngress,DC=com), and double-click on the CN=System node.

5

Right-click on the CN=Password Settings Container node and select New | Object, as shown in Figure 3.8.

Figure 3.8. Creating the New Object in ADSI Edit

6

In the Create Object dialog box, select msDS-PasswordSettings and click Next. (See Figure 3.9.)

Figure 3.9. Selecting the msDS-PasswordSettings Option

7

In the Create Object dialog box, enter the desired name for your PSO in the Value: text box (here, psoUsers) and click Next. (See Figure 3.10.)

Figure 3.10. Entering the PSO Name

8

Configure the appropriate value for each of the password and account lockout policy settings. All are required. Refer to the information in the list after Figure 3.11 for more details on each setting.

Figure 3.11. Configuring the Fine-grain Settings

▪

msDS-PasswordSettingsPrecedence Sets the precedence value for deciding conflicts when more than one fine-grain policy applies to a user. Values greater than 0 are acceptable.

▪

msDS-PasswordReversibleEncryptionEnabled Equivalent to the Store passwords using reversible encryption group policy setting. Acceptable values are TRUE and FALSE.

▪

msDS-PasswordHistoryLength Equivalent to the Enforce password history group policy setting. Acceptable values are 0 through 1024.

▪

msDS-PasswordComplexityEnabled Equivalent to the Passwords must meet complexity requirements group policy setting. Acceptable values are TRUE and FALSE.

▪

msDS-MinimumPasswordLength Equivalent to the Minimum password length group policy setting. Acceptable values are 0 through 255.

▪

msDS-MinimumPasswordAge Equivalent to the Minimum password age group policy setting. Acceptable values are (None) and days:hours:minutes:seconds (i.e., 1:00:00:00 equals one day) through the value configured for msDS-MaximumPasswordAge.

▪

msDS-MaximumPasswordAge Equivalent to the Maximum password age group policy setting. Acceptable settings are (Never) and msDS-MinimumPasswordAge value through (Never). This value cannot be set to 0. It follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).

▪

msDS-LockoutThreshold Equivalent to the Account lockout threshold group policy setting. Acceptable settings are 0 through 65535.

▪

msDS-LockoutObservationWindow Equivalent to the Reset account lockout counter after group policy setting. Acceptable values are (None) and 00:00:00:01 through msDS-LockoutDuration value.

▪

msDS-LockoutDuration Equivalent to the Account lockout duration group policy setting. Acceptable values are (None), (Never), and msDS-LockoutObservationWindow value through (Never). This value follows the days:hours:minutes:seconds format (i.e., 1:00:00:00 equals one day).

9

After specifying the preceding values, click the More Attributes button, as shown in Figure 3.12.

Figure 3.12. The More Attributes Button

10

Although it is not required, at this point you can specify to which users or groups the fine-grain policy will apply. You can also do this in Active Directory Users and Computers (covered later). To configure this during PSO object creation:

Set Select which properties to view: to either Optional or Both.

Set Select a property to view to: to msDS-PSOAppliesTo.

Enter a distinguished name (DN) for a user or global security group in the Edit Attribute: text box and click Add. Multiple users and groups can be added and removed. When done, click OK. (See Figure 3.13.)

Figure 3.13. Associating Users and Global Security Groups

11

Click Finish in the Create Object dialog box. When done, ADSI Edit should resemble Figure 3.14.

Figure 3.14. The ADSI Utility

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492805000031

The Exchange Management Shell

Tony Redmond, in Microsoft Exchange Server 2007 with SP1, 2008

4.3.8 Contacts

Mail-enabled contacts are Active Directory objects that point to someone outside our organization that we want to communicate with, such as users of a different email system within the same company or users in an external company that we do business with. Contacts have SMTP email addresses and appear in the GAL. Providing that you know the email address of the contact, creating it through EMS is trivial.

If you have an existing contact in Active Directory, you can enable it for mail with the Enable-MailContact command:

To disable a mail contact, use the Disable-MailContact command.

Disabling a mail contact leaves them in the Active Directory but removes the properties that allow users to email the contact and allow Exchange to list the contact in the GAL. If you want to remove a contact completely, use the Remove-MailContact command:

Use the Set-MailContact command to perform subsequent operations to update existing contacts. For example, to set a contact so that they always receive MAPI rich text format messages:

Note that the New-Contact and Get-Contact commands are also available. These commands operate on the basic contact objects in the Active Directory and do not manipulate the properties used by Exchange.

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781555583552500076

The WMI Providers

Alain Lissoir, in Leveraging WMI Scripting, 2003

3.6.1.5 Debugging Active Directory providers

If you experience trouble managing Active Directory objects with the WMI Active Directory providers, it is possible to trace the provider's activity in a log file. The configuration of a registry key set activates the trace logging. The registry keys are located at:

Note that other WMI providers, such as SNMP providers, also support activity trace logging (see Table 3.53). They use the same set of registry key names but from a different registry hive, as shown in Figure 3.34; the SNMP providers use the “WBEMSNMP” hive.

Table 3.53. Enabling the Trace Logging of a WMI Provider

Key namesDescriptionFileFull path and file name of the log file. The default value is %winder%\system32wbem\logs. The Type name value must be set to ‘File’ for this named value to be used.LevelA 32-bit logical mask that defines the type of debugging output generated by the provider. This value is provider-dependent. The default value is 0 (zero).MaxFileSizeMaximum file size (in bytes) of the log file. This integer value must be in the range 1024 to 2^32-1. When the file size exceeds this value, the file is renamed to – filename and a new, empty log file is created. The disk space required for the log file is twice the value of MaxFileSize. The default value is 65,535.TypeCan be sent the “File” or “Debugger”, if set to “File”, the trace information is written o the log the specified in the File named value. The default value is “File.”

Figure 3.34. The registry hive for the four WMI providers supporting activity logging.

Once the Active Directory WMI providers logging is started, the DSProvider.LOG file contains trace information and error messages for the Directory Service providers. The Level registry key is set to zero by default and can remain zero for the Active Directory providers. However, the tracing of other providers (i.e., SNMP providers) may require some values. Actually, the required values are determined by the provider implementation. To give a simple trace example, if the script (Sample 3.53, “Creating an Active Directory user object with WMI”) is executed a second time, it will return an error, since the user already exists. The output will be as follows:

From a WMI perspective, the returned error message “Generic Failure” is not enough to determine the source of the problem. Of course, it is always possible to instantiate an SWBemLastError object, but in this particular case it will not give much more information about the problem. However, by looking at the DSProvider.LOG, it shows the following information:

From line 1 through 30, we see the activity generated by the Active Directory provider to create the ds_user instance. At line 31, we see the instance creation followed by the Put_ method invocation (lines 34 and 35). From line 36 through 398, we see the list of attributes that will be set. Because the user instance already exists in Active Directory, trying to set all these attributes will generate an error, since some attributes can only be set by the system itself (see section 3.6.1.1, “Creating and updating objects in Active Directory”). The end result is an error number 80072035 (line 399). By looking in the Active Directory platform SDK, we can determine that an error 8007* is a Win32 Error. In such a case the rightmost part of the error number must be converted to a decimal value, which gives 8,245 in decimal (from 2,035 in hexadecimal). If we run the command “NET HELPMSG 8245” from the command line, we will get the informational message: “The server is unwilling to process the request.” This makes sense, since the script tries to perform an illegal Active Directory operation, which is an update of all attributes available from the existing user object (even with the ones that can only be updated by the system).

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781555582999500094

MCSE 70-293: Planning, Implementing, and Maintaining a Security Framework

Martin Grasdal, ... Dr.Thomas W. ShinderTechnical Editor, in MCSE (Exam 70-293) Study Guide, 2003

Active Directory Permissions

AD permissions are set on any AD object, as follows:

1.

Select Start | Administrative Tools | Active Directory Users and Computers.

2.

Select View | Advanced Features.

3.

Right-click the object you wish to set permission on and select the Properties option.

4.

Select the Security tab and choose Advanced. You will see all of the available permissions for this object.

5.

Click Add to add permissions and type the name of the user, computer, or group you wish to add. Then click OK.

6.

In the Permission Entry for Objectname option, select the Allow or Deny options from the Object and Properties tab. The Objectname would be what-ever you choose to set the permission on in step 3 above.

Object permissions in AD have many rights, such as the following:

■

Extended Rights Used for special operations within AD that are not related to either Read or Write access, such as Change Password, which allows the ability to change a password if the original password is known.

■

Validated Writes Includes value checking, which makes certain that the changed value matches specific requirements. An example of this is Validated Write Add/Remove Self As a Member. This applies to a group and allows members to remove or add themselves to a specific group for membership.

■

Property Set Allows a group of properties that have a specific set of rights, rather than individual rights. An example is Domain Password, which is managed through the user interface using the Domain Security Policy Group Policy Object (GPO).

Most of the time, when setting permissions on AD objects (and for assigning permissions in general) you should use groups rather than individual user accounts to control access. If one set of users needs Read permissions, and another set of users needs Change permissions, then create one group for each set of users and assign the permissions to the group. If multiple global groups need the same access, create a local group containing the global groups and assign permissions to the local group.

Exam Warning

Any object that has an explicit Allow permission entry cannot be overridden by the inherited Deny permission. Explicit permissions will always take precedence over inherited permissions. However, the explicit Deny permission always takes precedence over all other permissions.

You should try to minimize the total number of individual permissions that are published to child objects in AD. This can become a real performance issue if the total size of all the AD permissions approaches the limits of the disk storage space or the memory and processing capacity of your domain controller.

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781931836937500154

Microsoft Windows Server 2008

Aaron Tiensivu, in Securing Windows Server 2008, 2008

Prerequisites

Since BitLocker Active Directory backup stores information in Active Directory objects, you need to extend the schema to support the storage of BitLocker-specific data. Schema extensions and scripts for enabling the Active Directory backup functionality are included in a downloadable toolkit from Microsoft. To access the download follow this link: http://go.microsoft.com/fwlink/?LinkId=78953. After extraction, the following sample scripts should help with the implementation:

▪

Add-TPMSelfWriteACE.vbs

▪

BitLockerTPMSchemaExtension.ldf

▪

List-ACEs.vbs

▪

Get-TPMOwnerInfo.vbs

▪

Get-BitLockerRecoveryInfo.vbs

Note

BitLocker recovery information is stored in Active Directory attributes flagged as confidential. The confidential flag is a feature introduced in Windows Server 2003 Service Pack1 and provides advanced access control for sensitive data. With this feature, only domain administrators and authorized users have read access to those attributes. Therefore Active Directory backup for BitLocker recovery information should be implemented only if your domain controllers are running Windows Server 2003 Service Pack 1, Windows Server 2003 R2, or Windows Server 2008, ensuring backed up BitLocker information is properly protected.

Read moreNavigate Down

View chapterPurchase book

Read full chapter

URL: https://www.sciencedirect.com/science/article/pii/B9781597492805000055

MCSA/MCSE 70-294: Active Directory Infrastructure Overview

Michael Cross, ... Thomas W. Shinder Dr.Technical Editor, in MCSE (Exam 70-294) Study Guide, 2003

Role-Based Access Control

Access control can be managed based on the role an Active Directory object plays in an organization. Since objects represent users, computers, and other tangible elements of an organization, and these people and things serve different purposes in a company, it makes sense to configure these objects so that they reflect the tasks they perform. Role-based administration is used to configure object settings, so that computers and users have the necessary permissions needed to do their jobs based on the roles they fill.

The roles that users and computers are assigned correspond to the functions they serve in a company. Two categories of roles can be used for role based access control: authorization and computer configuration.

Authorization roles are based on the tasks a person performs as part of his or her job. For example, Help Desk personnel would need the ability to change passwords, while accountants would need to be able to access financial information and audit transactions. Using role-based access control, you can give each person the access he or she needs to perform these tasks.

Authorization roles are similar to security groups, to which users can become members and acquire a level of security that gives them the ability to perform certain tasks. However, authorization roles differ in that they are used for applications. Role-based access can be applied to a single application, set of applications, or a scope within the application. Another important difference is that role-based authorization can be dynamic, so that users become part of a group membership as an application runs. This is different from security groups that require membership to be set beforehand.

In the same way that users have different purposes in a company, so do computers. A business might have DCs, mail servers, file servers, Web servers, and any number of other machines providing services to users and applications in an organization. Computer configuration roles are used to control which features, services, and options should be installed and configured on a machine, based on the function it serves in the company.

What are the two basic types of Active Directory objects?

There are two types of AD objects, which are: Container objects: These objects can contain other objects within them. Groups and organizational units (OUs) are examples of container objects. Leaf objects: Leaf objects cannot contain other objects.

What are the objects of Active Directory?

The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders. Some objects can contain other objects (which is why you'll see AD described as “hierarchical”).

How many objects are in Active Directory?

So, the right question would be: How many types of objects in AD are there? The answer to that question is that there are 12 types of objects in Active Directory.

How many types of Active Directory are there?

There are technically 7 different types of Active Directory. Each of them are deployed in different way, places and for different purposes.