Re: Is the Computer object "Managed By" field informational or used for security

Discussion in 'Active Directory' started by Paul Bergson, Sep 26, 2006.

  1. Paul Bergson

    Paul Bergson Guest

    This is a documentation field. What happens in the future is unknown. I
    wouldn't worry if this is populated though.
     
    Paul Bergson, Sep 26, 2006
    #1
    1. Advertisements

  2. However, the value assigned to managedBy must be a Distinguished Name (DN).
    When this is assigned, the managedObjects attribute of the corresponding
    object will have the Distinguished Name of the managed object. For example,
    if I take the group object:

    cn=TestGroup,ou=Sales,dc=MyDomain,dc=com

    and assign the managedBy attribute of this group object to be:

    cn=TestUser,ou=West,dc=MyDomain,dc=com

    then the multi-valued managedObjects attribute of cn=TestUser will have the
    DN of the group object added. That is, one of the elements of the
    managedObjects attribute of cn=TestUser will be:

    cn=TestGroup,ou=Sales,dc=MyDomain,dc=com

    As far as I know, that is the only consequence of assigning a value to
    managedBy.
     
    Richard Mueller, Sep 26, 2006
    #2
    1. Advertisements

  3. Note. The managedBy and managedObjects linked pair are used for security
    purposes. The DN specified in managedBy has write permissions to those
    objects.

    The manager and directReports linked pair are the informational attributes
    referenced in the GUI when looking at a user or inetOrgPerson object.
    managedBy is on groups. I can't remember what's on computers. If there's a
    dedicated tab (it's been ages since I looked at ADUC in any detail) then
    it's the security-related pair.
     
    Paul Williams [MVP], Sep 26, 2006
    #3
  4. I believe you are correct about the security, but I can find no
    documentation on it. Both computer and group objects have a "Managed By"
    tab, and the managedBy and managedObjects attributes are linked the same
    way. There is also a "Managed By" tab for OU's. Also, you cannot view the
    managedObjects attribute values in the GUI (although you can view it in ADSI
    Edit). I believe the manager of a group is granted the "write members"
    permission, although in some cases I do not see this (maybe because the user
    is a member of the group).
     
    Richard Mueller, Sep 26, 2006
    #4
  5. Paul Bergson

    Paul Bergson Guest

    I never realized this. Thanks for the additional details.
     
    Paul Bergson, Sep 27, 2006
    #5
  6. Documentation on this is slim. I picked up on it from a post and dug around
    and finally found a brief mention on technet2 somewhere. It's an
    interesting point you make about the DACL exceptions. I'll have to have a
    look at that. I've never actually seen this used so it's something that'll
    have to be added to the ever increasing list of things to do...
     
    Paul Williams [MVP], Sep 29, 2006
    #6
  7. This is incorrect. The fields are informational. Anything done in
    security is handled by updating the ACL. ADUC will do both items for you
    in the case of group membership.

    --
    Joe Richards Microsoft MVP Windows Server Directory Services
    Author of O'Reilly Active Directory Third Edition
    www.joeware.net


    ---O'Reilly Active Directory Third Edition now available---

    http://www.joeware.net/win/ad3e.htm
     
    Joe Richards [MVP], Oct 3, 2006
    #7
  8. So it's ADUC that actually updates the DACL? OK, I guess that makes sense.
    I'd wondered if it was specific to ADUC or whether there was something fancy
    going on in the background. I wonder if ADSIEDIT does this too? I'll have
    a look if I can ever recover my LH boxes...
     
    Paul Williams [MVP], Oct 3, 2006
    #8
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.