Loading ...
Sorry, an error occurred while loading the content.
 

RE: [ADSI-DirSrv] Rights needed to read the "TokenGroups"

Expand Messages
  • Sameh Ahmed Abdel Fattah
    Dear Joe Sorry for the late answer but was quite busy with other stuff and did not want to reply before I make sure of the following NO restrictions have been
    Message 1 of 3 , Mar 1, 2005
      Dear Joe

      Sorry for the late answer but was quite busy with other stuff and did
      not want to reply before I make sure of the following

      NO restrictions have been made to the default user permissions.

      I made a delegation for the user domain\delegateduser to read the
      following properties:

      1. GroupmembershipSAM
      2. Group membership
      3. Tokengroupsglobalanduniversal

      But still this user is not able to read the tokengroups property (Which
      I found no explicit property for)

      But when I add him to the "Domain Admins", it works with no problems.

      Any ideas?



      Thanks and best regards.

      Sameh Ahmed
      Senior Office Automation Administrator
      Masreya Information Systems (Xceed)
      Km. 28 Cairo Alex desert road (Smart Village)
      Direct: +2 02 7763263
      Ext.: 3263
      web: www.Xceedcc.com <BLOCKED::http://www.xceedcc.com/>

      _____

      From: Joe Kaplan [mailto:joe@...]
      Sent: Thursday, February 24, 2005 9:00 PM
      To: ADSIANDDirectoryServices@yahoogroups.com
      Subject: Re: [ADSI-DirSrv] Rights needed to read the "TokenGroups"



      In my domain, users have rights to read each other's tokenGroups
      attribute.
      It sounds as if someone has restricted rights on that attribute for some

      reason on yours. Do you know if that was done on purpose?

      You need to grant read access to tokenGroups for all users that should
      be
      able to read it. This is usually done by setting the proper property
      read
      ACL. You need to use the advanced screen to see the list of individual
      attributes.

      Joe K.

      ----- Original Message -----
      From: "Sameh Ahmed Abdel Fattah" <sameh@...>
      To: <ADSIANDDirectoryServices@yahoogroups.com>
      Sent: Thursday, February 24, 2005 6:51 AM
      Subject: [ADSI-DirSrv] Rights needed to read the "TokenGroups"


      >
      > Hello there
      >
      > After lots of discussions, Joe helped in using the mysterious
      > TokenGroups attribute.
      >
      > I am not sure why it's not easy to find documentation about this
      issue.
      >
      > I can successfully read TokenGroups when I use a user with
      > administrative privileges on the domain, but not using a normal user.
      >
      > I tried delegating the read right for both "groupmembership" and
      > "groupmembershipSAM" for this user but also it fails to read the
      > TokenGroups!
      >
      > Is it calculated from a set of attributes for example?
      > What rights should be granted for user in order to be able to get the
      > values in this property?
      > Thanks for your time
      >
      > Regards
      >
      > Sameh
      >
      >
      >
      > [Non-text portions of this message have been removed]
      >
      >
      >
      >
      > Yahoo! Groups Links
      >
      >
      >
      >
      >
      >
      >





      Yahoo! Groups Sponsor

      ADVERTISEMENT
      click here
      <http://us.ard.yahoo.com/SIG=1298dkqbn/M=298184.6018725.7038619.3001176/
      D=groups/S=1705006764:HM/EXP=1109358133/A=2593423/R=0/SIG=11el9gslf/*htt
      p:/www.netflix.com/Default?mqso=60190075>


      <http://us.adserver.yahoo.com/l?M=298184.6018725.7038619.3001176/D=group
      s/S=:HM/A=2593423/rand=940672766>



      _____

      Yahoo! Groups Links

      * To visit your group on the web, go to:
      http://groups.yahoo.com/group/ADSIANDDirectoryServices/

      * To unsubscribe from this group, send an email to:
      ADSIANDDirectoryServices-unsubscribe@yahoogroups.com
      <mailto:ADSIANDDirectoryServices-unsubscribe@yahoogroups.com?subject=Uns
      ubscribe>

      * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
      Service <http://docs.yahoo.com/info/terms/> .



      [Non-text portions of this message have been removed]
    • Joe Kaplan
      I m still confused by this. When you granted rights to read tokenGroupsGlobalAndUniversal, were they able to read that? You can also use it if you want. It
      Message 2 of 3 , Mar 1, 2005
        I'm still confused by this. When you granted rights to read
        tokenGroupsGlobalAndUniversal, were they able to read that? You can also
        use it if you want. It just doesn't contain domain local groups, but
        otherwise it does the same thing.

        Also, if that worked, then you should be able to grant access to tokenGroups
        explicitly as well. They are both the same kind of constructed attribute.

        Sorry I'm not much help. I just haven't seen read restrictions applied to
        these attributes before, so I'm unfamiliar with what you need to do to
        correct this.

        Joe K.

        ----- Original Message -----
        From: "Sameh Ahmed Abdel Fattah" <sameh@...>
        To: <ADSIANDDirectoryServices@yahoogroups.com>
        Sent: Tuesday, March 01, 2005 6:34 AM
        Subject: RE: [ADSI-DirSrv] Rights needed to read the "TokenGroups"


        >
        > Dear Joe
        >
        > Sorry for the late answer but was quite busy with other stuff and did
        > not want to reply before I make sure of the following
        >
        > NO restrictions have been made to the default user permissions.
        >
        > I made a delegation for the user domain\delegateduser to read the
        > following properties:
        >
        > 1. GroupmembershipSAM
        > 2. Group membership
        > 3. Tokengroupsglobalanduniversal
        >
        > But still this user is not able to read the tokengroups property (Which
        > I found no explicit property for)
        >
        > But when I add him to the "Domain Admins", it works with no problems.
        >
        > Any ideas?
        >
        >
        >
        > Thanks and best regards.
        >
        > Sameh Ahmed
        > Senior Office Automation Administrator
        > Masreya Information Systems (Xceed)
        > Km. 28 Cairo Alex desert road (Smart Village)
        > Direct: +2 02 7763263
        > Ext.: 3263
        > web: www.Xceedcc.com <BLOCKED::http://www.xceedcc.com/>
        >
        > _____
        >
        > From: Joe Kaplan [mailto:joe@...]
        > Sent: Thursday, February 24, 2005 9:00 PM
        > To: ADSIANDDirectoryServices@yahoogroups.com
        > Subject: Re: [ADSI-DirSrv] Rights needed to read the "TokenGroups"
        >
        >
        >
        > In my domain, users have rights to read each other's tokenGroups
        > attribute.
        > It sounds as if someone has restricted rights on that attribute for some
        >
        > reason on yours. Do you know if that was done on purpose?
        >
        > You need to grant read access to tokenGroups for all users that should
        > be
        > able to read it. This is usually done by setting the proper property
        > read
        > ACL. You need to use the advanced screen to see the list of individual
        > attributes.
        >
        > Joe K.
        >
        > ----- Original Message -----
        > From: "Sameh Ahmed Abdel Fattah" <sameh@...>
        > To: <ADSIANDDirectoryServices@yahoogroups.com>
        > Sent: Thursday, February 24, 2005 6:51 AM
        > Subject: [ADSI-DirSrv] Rights needed to read the "TokenGroups"
        >
        >
        >>
        >> Hello there
        >>
        >> After lots of discussions, Joe helped in using the mysterious
        >> TokenGroups attribute.
        >>
        >> I am not sure why it's not easy to find documentation about this
        > issue.
        >>
        >> I can successfully read TokenGroups when I use a user with
        >> administrative privileges on the domain, but not using a normal user.
        >>
        >> I tried delegating the read right for both "groupmembership" and
        >> "groupmembershipSAM" for this user but also it fails to read the
        >> TokenGroups!
        >>
        >> Is it calculated from a set of attributes for example?
        >> What rights should be granted for user in order to be able to get the
        >> values in this property?
        >> Thanks for your time
        >>
        >> Regards
        >>
        >> Sameh
        >>
        >>
        >>
        >> [Non-text portions of this message have been removed]
        >>
        >>
        >>
        >>
        >> Yahoo! Groups Links
        >>
        >>
        >>
        >>
        >>
        >>
        >>
        >
        >
        >
        >
        >
        > Yahoo! Groups Sponsor
        >
        > ADVERTISEMENT
        > click here
        > <http://us.ard.yahoo.com/SIG=1298dkqbn/M=298184.6018725.7038619.3001176/
        > D=groups/S=1705006764:HM/EXP=1109358133/A=2593423/R=0/SIG=11el9gslf/*htt
        > p:/www.netflix.com/Default?mqso=60190075>
        >
        >
        > <http://us.adserver.yahoo.com/l?M=298184.6018725.7038619.3001176/D=group
        > s/S=:HM/A=2593423/rand=940672766>
        >
        >
        >
        > _____
        >
        > Yahoo! Groups Links
        >
        > * To visit your group on the web, go to:
        > http://groups.yahoo.com/group/ADSIANDDirectoryServices/
        >
        > * To unsubscribe from this group, send an email to:
        > ADSIANDDirectoryServices-unsubscribe@yahoogroups.com
        > <mailto:ADSIANDDirectoryServices-unsubscribe@yahoogroups.com?subject=Uns
        > ubscribe>
        >
        > * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
        > Service <http://docs.yahoo.com/info/terms/> .
        >
        >
        >
        > [Non-text portions of this message have been removed]
        >
        >
        >
        >
        > Yahoo! Groups Links
        >
        >
        >
        >
        >
        >
        >
      Your message has been successfully submitted and would be delivered to recipients shortly.