AD object permissions:

http://www.selfadsi.org/deep-inside/ad-security-descriptors.htm

http://technet.microsoft.com/en-us/library/cc740104(v=ws.10).aspx

 

How to hide AD data:

part 1: http://windowsitpro.com/active-directory/hiding-data-active-directory

part 2: http://windowsitpro.com/active-directory/hiding-active-directory-objects-and-attributes

part 3: http://windowsitpro.com/active-directory/hiding-data-active-directory-part-3-enabling-list-object-mode-forest

part 4: http://windowsitpro.com/active-directory/using-confidentiality-bit-hide-data-active-directory

 

 

 

AD permissions – How Rights are Evaluated ?
Two types of rights exist: permissions (authorization to do something such as read or reset a password on a specific object) and privileges or user rights (authorization to do something, like log on or add users, that affects an entire computer rather than a specific object). Similar to the evaluation of file system access control, the right to access or use AD objects is determined by the security context attached to the application that attempts the access. When users authenticate to a system, the authorization information (their SID, SIDs of groups they belong to, and privileges) they’ve been given is collected and later used to create an access token. The access token is used when they attempt to gain access to some object. Programmatically, an access token can be created using the security context of some other security principal, say, the operating system, and used instead during the applications processing. When the application requires the use of some file system, operating system or AD object, the information in its access token is compared with that in the security descriptor of the object. If a match occurs, and no explicit Deny permission exists, access is granted. If no match occurs, or the explicit Deny exists, the requested access is denied.

Right Description
DELETE Delete object.
READ_CONTROL Read security descriptor information (doesn’t include the right to read the SACL).
WRITE_DAC Modify DACL in object’s security descriptor.
WRITE_OWNER Assume ownership of object.
SYNCHRONIZE Use object of synchronization. A thread (the small executable portion of a process) can wait until the object is in the signaled state.
ACCESS_SYSTEM_SECURITY Get or Set SACL.
GENERIC_READ Read security descriptor, examine object and children and read all properties.
GENERIC_WRITE Write properties and write DACL. Add and remove object from directory.
GENERIC_EXECUTE List children of object.
GENERIC_ALL Create or delete children, delete subtree, Read and Write properties, examine children and object, add and remove object from directory, Read or Write with extended right.
DS_CREATE_CHILD Create children (the ACE can specify child object type that can be created. If it doesn’t, this right allows creation of all child object types).
DS_DELETE_CHILD Delete children (the ACE can specify the child object type that can be deleted. If it doesn’t, this right allows deletion of all child object types).
DS_ACTRL_DS_LIST List children of object.
DS_SELF Modify group membership of group object.
DS_READ_PROP Read properties of object (ACE can specify property that can be read. If it doesn’t, this right allows reading of all properties).
DS_WRITE_PROP Write properties (ACE can specify property that can be written. If it doesn’t, this right allows writing of all properties).
DS_DELETE_TREE Delete all children of object, regardless of permission on object.
DS_LIST_OBJECT List a particular object (if not granted to a user, the object is hidden from user).
DS_CONTROL_ACCESS Right to perform operation covered by an extended access right-either a specific extended right or by omission all extended rights.
Additional standard access rights not available on all objects. The list and descriptions come from the Platform SDK documentation.

 

 

NTFS Inheritance Choices AD Comparable Setting AD Differences
This folder only. This object only (Effective ACL).
This folder, subfolders and files. This object and all child objects
This folder and subfolders. Each object is specified.
This folder and files. Each object is specified.
Subfolders and files only. Child objects only (Inherit ACLs).
Subfolders only. Each object is specified.
Files only. Each object is specified.
A comparison of NTFS and AD Inheritance Choices