Well I have been stuck on one of my chapters for several days now. It is the chapter on Active Directory Security. Unfortunately it is missing any references whatsoever to some pretty basic AD Security concepts like inherited vs explicit ACEs, property sets, extended rights, validated writes, and default ACLs so I am adding all of that. Not too deep, just enough so someone will be aware of what to go looking for more information on. The number of questions you see in the newsgroups around “how do I hide this attribute from being viewed”, etc is so high that this basic security info really needs to be taught to every AD Admin so they have a clue on how they might attack it.
Of course I will also add a section on the new confidentiality bit in K3 SP1 and how to use it and where it sort of fails in its goal at and possibly… I will discuss how to side step that failure and make it a little more useful. I haven’t decided yet. There are a couple of mechanisms to make it work “better”. One I would feel really bad about sharing though you can find info about the general process in the MS KBs. The other I wouldn’t feel quite as bad as it is simply a logical thought progression that anyone could figure out.
I am also a bit saddened on the lack of documentation and tools for manipulating the confidentiality bit stuff. There is seriously a seeming dearth of info. As for tools, from the GUI and CLI you have to give considerable rights to someone to override the confidentiality lockdown. I started building the script tonight to do this in a tighter more granular way. I am curious as to how much it will tork up the GUI and the CLI to display the delegation though.
Bed time…
I’ll start reading your stuff this weekend, busy cramming for a grad school final between now and 3 o’clock tomorrow. 🙂