security descriptor

Discussion in 'Active Directory' started by aks, May 11, 2005.

  1. aks

    aks Guest

    Hi,

    Can someone help me with this:
    Using ldifde, I have created a new class in AD schema, and this class has
    'top' as its parent class. When i run:
    "dsquery * cn=class1,cn=schema,cn=configuration,dc=xx,dc=com -scope base
    -attr *"
    I do not see attribute nTSecurityDescriptor and defaultSecurityDescriptor.
    Does this imply that I cannot secure the objects instantiated from this new
    class.

    If so, I would like to know how can I create this/add this attribute to my
    class.

    Would appreciate any help. Thanks.
     
    aks, May 11, 2005
    #1
    1. Advertisements

  2. ntSecurityDescriptor on the class object has nothing to do with instances of
    this class. It only protects this specific AD object (the class object in
    schema container). Note to retrieve ntSD, you need to explicitly request it,
    because it is an operational attribute.

    defaultSecurityDescriptor is the one you are after. If you did not set one,
    it will be inherited from top (implicitly). If top does not have one, then
    you still can create objects of this class, but they will have no explicit
    ACEs in their SDs, only inherited ones from the parent container. Believe
    me, this is actually good.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 11, 2005
    #2
    1. Advertisements

  3. aks

    aks Guest

    Hi Dmitri,

    So, if I understand this correctly, the defaultSecurityDescriptor value for
    my new class would be the same as top - is that correct ?

    Also, since you are the core AD specialist, could you help me with this
    scenario, i need urgent help on this:

    I have created two new classes in the AD schema. And am interested in
    extending the ACL list to show more tasks in the Permission list other than
    "Read, Write, Full control, etc.". If I modify the delegwiz.inf file, then
    the new tasks like "send alert via email" show up under the option "Delegate
    the following common tasks" (when using Delegation Control wizard with
    ADU&C). Is there a way where I can make my new tasks to show up under "create
    a custom task to delegate" option using the above wizard.

    Ideally, would be nice if I can modify the ADSIEdit to show my customized
    tasks. Would be nice to know the file ADSIedit reads, such that it can be
    modified to show customized tasks. Any suggestions ?

    I'm more interested in setting new/customized permissions (such as 'send
    alert' etc.) at the object level than at the attribute level. Is it possible ?

    Would appreciate getting help on the above. Much thanks in advance.
     
    aks, May 11, 2005
    #3
  4. You don't want to extend the list of permissions, because AD does not know
    how to enforce them, right? Where would the code for enforcing your new
    permissions live? In your app? If so, you should look at AzMan, which is
    exactly the extensible access-control system, to be run in the middle tier.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 11, 2005
    #4
  5. aks

    aks Guest

    Hi Dmitri,

    I'm a bit confused now, I have been reading something like:
    "Extended rights provide the ability to perform access checks on operations
    that have some special significance in Active Directory and that are not
    covered by the standard set of access rights. For example, the User class can
    be granted a Send As right that can be used by a mail application to
    determine whether a particular user can allow another user to send mail on
    his or her behalf. To facilitate these special requirements, Active Directory
    extends the standard access control mechanism through the controlAccessRight
    class of objects. These objects are called extended rights.
    Instances of the controlAccessRight class are created by the system. These
    objects are stored in
    CN=Extended-Rights,CN=Configuration,DC=ForestRootDomain. Rather than being
    administratively set, properties of these objects automatically identify the
    type of access in the DACL of the appropriate object."

    So the above mentioned "Extended-Rights" will not help me with my problem?
    I'm not so much interested in extending the access control list, but more in
    extending the rights to accomodate something like "send alert" etc. Please
    suggest if I can allow the user/security principal to do a customized task
    (send alert) in the scope of my customized object. Thanks.
     
    aks, May 12, 2005
    #5
  6. Exchange does weird things, so don't use it as an example. The quote below
    is misleading. Indeed, you can introduce your own control-access-rights by
    dropping new objects into that container. But who will use them in access
    checks?

    My question still stands. Given that AD has no clue about your custom task,
    it will not make any use of your CAR. Who will do the access check?

    What you can do (and what Exchange does) is read the security descriptor
    from the object and do the access check using this SD locally in your
    service. However, this is quite dangerous. For example, many AD objects have
    aces that grant BUILTIN\Administrators full control over the object. Thus,
    if your service runs on user's machine, and he made himself a local admin,
    then the access check will succeed. If he connects to another machine where
    he is not an admin, the access check will fail. This is not the kind of
    problem that you want to be diagnosing.

    You *should* look at AzMan.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 12, 2005
    #6
  7. aks

    aks Guest

    Hi Dmitri,

    Thanks for going into more detail, its helping me understand better.

    As far as the access check is concerned, my app will enforce it. I
    understand that AD will not enforce it. I was just trying to find a
    graphical option to 'allow & deny' a customized task (i believe that leads to
    somehow extending the access control list/permission list) and have this
    configuration stored in AD in the ACE of the object in question. I'll have to
    have a layer at the app level, that would do more concrete access check based
    on the information its retrieves from SD of an object in question or OU in
    question and make appropriate decisions. But this can be done only if I can
    offer a graphical way to 'allow or deny' certain customized permissions. So
    far, I understand that I can extend it at the property level only, would be
    nice to know of a way where we can extend it at the object level (my 1st post
    explains the context).

    As suggested, I looked into AzMan. Its a handy tool, but I find role
    definitions are quite rigid as each role can have only one task to accomodate
    flexibility. If I define a role as "Operator" and assign it two tasks -
    "allow sending alert via email" and "allow clearing of log file", then I
    cannot assign this role Operator to two OU's or objects where one OU requires
    that "Operator" can do both the tasks and the other OU requires that the
    "Operator" can do only one task, say, send alert via email. To accomodate
    this situation I'll have to have unique roles - one task per role, that would
    lead to having too many roles defined. However, in AD, I can accomodate this
    situation by adding different roles/groups and each group/role can have
    overlapping tasks. Hence in AD an Operator can do more than one task and this
    does not require unique roles for unique tasks. This is what I have
    concluded so far, please do correct me if am mislead.

    As always appreciate your help.
     
    aks, May 12, 2005
    #7
  8. Ok, you are doing your own access check, beware of local groups... One
    suggestion -- use Authz library, it lets you control the "token creation"
    process to some degree, and it is better suited for usermode processes. AD
    uses it internally, fwiw.

    So, you are after the UI for the most part. That is easy. If I understand
    your question correctly, you want your new "control access right" appear in
    ACLUI for selected objectClasses, right? If so, then you need to set
    appliesTo attribute on the extendedRight object to be the schemaIdGuid of
    the class(es) you want this to appear on. Also, you might need to edit
    dssec.dat file, which is used for flitering stuff that ACLUI shows. There's
    a KB article explaining how to do this, just search for "dssec.dat".

    Re AzMan -- from what I know (and I am not the expert), it is a very
    flexible and extensible system. It actually offers more flexibility in
    permission assignment than AD does, and the model is better (role-based
    rather than ACL-based). I am not sure what is the NG where AzMan people hang
    out, I don't think it is this one. If you need help, try one of the
    ms.public.*.security.* newsgroups.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 12, 2005
    #8
  9. aks

    aks Guest

    Hi Dmitri,

    Again, thanks for getting back. As my first attempt, I'll go with AD, and
    see how it looks. Probably will revisit AzMan too simultaneously.

    To try out your suggestion, I need more help - "appliesTo attribute on the
    extendedRight object to be the schemaIdGuid of the class(es) you want this to
    appear on". Could you explain the steps to create the extendedRight object,
    and to add the schemaIDGuid of the various class/es.

    I have edited dssec.dat file before, so do understand that part.
     
    aks, May 12, 2005
    #9
  10. With ADSIEdit or LDP, goto CN=Extended-Rights,CN=Configuration,DC=rootDomain
    and add a new controlAccessRight object there. Here's an example of such
    object:

    Expanding base 'CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=xxx'...
    Getting 1 entries:2> objectClass: top; controlAccessRight;
    1> cn: Send-As;
    1> distinguishedName:
    CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=xxx;
    1> instanceType: 0x4 = ( IT_WRITE );
    1> whenCreated: 01/07/1999 10:32:18 Mountain Standard Time;
    1> whenChanged: 11/04/2003 19:47:04 Mountain Standard Time;
    1> displayName: Send As;
    1> uSNCreated: 7774;
    1> uSNChanged: 7774;
    1> showInAdvancedViewOnly: TRUE;
    1> name: Send-As;
    1> objectGUID: e94e852b-a656-11d2-bbcd-00105a24d6db;
    1> rightsGuid: ab721a54-1e2f-11d0-9819-00aa0040529b;
    15> appliesTo: 4828CC14-1437-45bc-9B07-AD6F015E5F28;
    36145cf4-a982-11d2-a9ff-00c04f8eedd8; 366a319c-a982-11d2-a9ff-00c04f8eedd8;
    a8df74a7-c5ea-11d1-bbcb-0080c76670c0; 01a9aa9c-a981-11d2-a9ff-00c04f8eedd8;
    e7a44058-a980-11d2-a9ff-00c04f8eedd8; e768a58e-a980-11d2-a9ff-00c04f8eedd8;
    bf967a9c-0de6-11d0-a285-00aa003049e2; 5cb41ed0-0e4c-11d0-a286-00aa003049e2;
    3568b3a4-a982-11d2-a9ff-00c04f8eedd8; 346e5cba-a982-11d2-a9ff-00c04f8eedd8;
    3378ca84-a982-11d2-a9ff-00c04f8eedd8; f0f8ffac-1191-11d0-a060-00aa006c33ed;
    bf967a86-0de6-11d0-a285-00aa003049e2; bf967aba-0de6-11d0-a285-00aa003049e2;
    1> objectCategory:
    CN=Control-Access-Right,CN=Schema,CN=Configuration,DC=xxx;
    1> localizationDisplayId: 4;
    1> validAccesses: 256;


    When creating the object, you only need to specify: DN of the new object,
    objectClass=controlAccessRight, displayName, rightsGuid (just generate a
    random guid), appliesTo (pick up schemaIdGuids from the classes you are
    interested in), validAccesses=256 (means control-access-right, as opposed to
    propertySet, which is 48 iirc).

    SchemaIdGuids can be read with ADSIEdit or LDP (and maybe even schema
    snapin) from the classSchema objects in CN=Schema partition. Note all the
    guids are just strings, not binary blobs.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 12, 2005
    #10
  11. aks

    aks Guest

    Hi Dmitri,

    I would like to know more about how to make the addition reflect in ADU&C.

    Now that I have
    "CN=MyPermissions,CN=Extended-Rights,CN=Configuration,DC=xxx,DC=com" with
    'appliesTo' set to the schemaIDGUID of my customized class. I'm little
    unclear on where to add the list of tasks (send alert, clear log etc.) and
    how it gets mapped to the class 'MyPermissions'. Please advise. Thanks.
     
    aks, May 13, 2005
    #11
  12. AKS, MyPermissions is not a class. It is a control access right. You need to
    create a separate control access right object for each of your tasks
    (send-alert, clear-log, etc). Look at other object living in the same
    container.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 13, 2005
    #12
  13. aks

    aks Guest

    Hi Dmitri,

    For the 'send-as' control access right, the class user is added. Also, in
    dssec file under class [user] only when mail=7 is replaced with mail=0, I get
    to see the 'send-as' option in the acl. What I fail to understand is where
    is the association between 'send-as' (a CAR) and mail (an attribute of user
    class). Could you help ?

    Thanks.
     
    aks, May 13, 2005
    #13
  14. aks

    aks Guest

    Hi Dmitri,

    If I add the extended right to an object type - this is a permanent change.
    Now, when I modify the dssec.dat file to reflect the above, I see the changes
    in ACL in the GUI. Is this change a "permanent" change because when I revert
    back to my original dssec.dat file, I still see the additions in ACL.

    Thanks.
     
    aks, May 13, 2005
    #14
  15. aks

    aks Guest

    Hi,

    I finally got the dialog box to show my customized name (clear-log,
    send-alert etc.) in ADU&C. However, it is prefixed with "read" or "write"
    each time depending on its value in the dssec.dat file i.e. if value=6, it
    displays in the dialog box as "read clear-log" or "read send-alert" and if
    value=5, it displays as "write clear-log" or "write send-alert". I was
    wondering if there is a way to make it display as "clear log" or "send alert"
    only by suppressing the read/write string. Thanks.
     
    aks, May 14, 2005
    #15
  16. There's no association between Send-As and mail attribute whatsoever.
    Exchange uses Send-As control access right somehow (not sure how). I suspect
    it checks if one user has Send-As right granted to him on on another user
    object.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm

     
    Dmitri Gavrilov [MSFT], May 14, 2005
    #16
  17. I did not get this, sorry.
    Nothing is permanent with Extended-Rights container. This is not schema, and
    you are free to add and delete objects here as much as you want.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 14, 2005
    #17
  18. I think this is because it thinks this is a property set. Make sure you set
    validAccesses=256 on your CAR object.

    And try not putting anything in dssec.dat. It looks like it only applies to
    attributes/propsets, but not to CARs.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 14, 2005
    #18
  19. aks

    aks Guest

    HI Dmitri,

    ValidAccesses is set to 256.

    If dssec.dat does not have anything, it does not still show it. If this is
    only attribute/property based, is there an alternative way for customized
    strings that I can try. Thanks for the help so far.
     
    aks, May 16, 2005
    #19
  20. Please produce an LDIF dump of your controlAccessRight object and post it
    here.

    --
    Dmitri Gavrilov
    SDE, Active Directory Core

    This posting is provided "AS IS" with no warranties, and confers no rights.
    Use of included script samples are subject to the terms specified at
    http://www.microsoft.com/info/cpyright.htm
     
    Dmitri Gavrilov [MSFT], May 16, 2005
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.