Object Type GUID List

Discussion:

(too old to reply)

Stephen Engle

2006-10-17 13:54:33 UTC

I am trying to determine what grants a particular object type a security
right in Active Directory. So far, I have discovered that each ACE (such as
ACCESS_ALLOWED_OBJECT_ACE) in a security ACL can have an object type
assoctiated with it. That object type determines what kind of object the
ACE applies to or inherits to. What I cannot find, is a list that tells me
what GUID goes with what object type.

I think for instance, that 00000501-0500-1500-00002A62294B pertains to group
objects. But I do not know, except through a lot of experimentation, what
GUID indicates what kind of Active Directory object an ACE will apply to.

Does anyone know where such a list might be found? Or at least what part of
Active Directory might tell me what GUID will be associated with a
particular object type?

Thanks.

Joe Kaplan

2006-10-17 14:46:42 UTC

Permalink

You probably want to look at the schemaIDGUID attribute on all of the schema
objects in the schema. It is actually documented in the MSDN AD schema
documentation as well, but sometimes it is faster to search for it.

Additionally, some of those objects might be extended rights. Those don't
point to schema objects, but instead point to objects in the Extended-Rights
container in the configuration partition. They are indexed by the
rightsGuid attribute (instead of the schemaIDGUID).

I also recommend reading all of the MSDN AD documentation on controlling
access. It is a little dense, but very helpful with this stuff.

If you are a .NET developer, there is a short program in chapter 8 of my
book that converts between the GUID and friendly names for both types of
objects. You can download the sample code directly from the link in my sig.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Post by Stephen Engle
I am trying to determine what grants a particular object type a security
right in Active Directory. So far, I have discovered that each ACE (such
as ACCESS_ALLOWED_OBJECT_ACE) in a security ACL can have an object type
assoctiated with it. That object type determines what kind of object the
ACE applies to or inherits to. What I cannot find, is a list that tells me
what GUID goes with what object type.
I think for instance, that 00000501-0500-1500-00002A62294B pertains to
group objects. But I do not know, except through a lot of
experimentation, what GUID indicates what kind of Active Directory object
an ACE will apply to.
Does anyone know where such a list might be found? Or at least what part
of Active Directory might tell me what GUID will be associated with a
particular object type?
Thanks.

Stephen Engle

2006-10-17 19:59:24 UTC

Permalink

Will the Active Directory material tell me about what GUIDs apply to things
like 'group objects' which I have come to find out is not the GUID for a
'group' schema object. I take it that there must be some built in GUIDs that
have to do with things like that. On the current object I'm looking at, the
schema id for 'groups' is referenced in Active Directory Users & Computers
as 'This object only' which makes sense. But then 'group objects' is some
other GUID not equal to the GUID of 'a' group object.

Post by Joe Kaplan
You probably want to look at the schemaIDGUID attribute on all of the
schema objects in the schema. It is actually documented in the MSDN AD
schema documentation as well, but sometimes it is faster to search for it.
Additionally, some of those objects might be extended rights. Those don't
point to schema objects, but instead point to objects in the
Extended-Rights container in the configuration partition. They are
indexed by the rightsGuid attribute (instead of the schemaIDGUID).
I also recommend reading all of the MSDN AD documentation on controlling
access. It is a little dense, but very helpful with this stuff.
If you are a .NET developer, there is a short program in chapter 8 of my
book that converts between the GUID and friendly names for both types of
objects. You can download the sample code directly from the link in my sig.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--

Post by Stephen Engle
I am trying to determine what grants a particular object type a security
right in Active Directory. So far, I have discovered that each ACE (such
as ACCESS_ALLOWED_OBJECT_ACE) in a security ACL can have an object type
assoctiated with it. That object type determines what kind of object the
ACE applies to or inherits to. What I cannot find, is a list that tells
me what GUID goes with what object type.
I think for instance, that 00000501-0500-1500-00002A62294B pertains to
group objects. But I do not know, except through a lot of
experimentation, what GUID indicates what kind of Active Directory object
an ACE will apply to.
Does anyone know where such a list might be found? Or at least what part
of Active Directory might tell me what GUID will be associated with a
particular object type?
Thanks.

Joe Kaplan

2006-10-17 21:51:37 UTC

Permalink

So, the GUIDs in question are the schemaIDGUID attribute on the schema
objects in the schema container. Do not confuse the objectGUID of a schema
object or any objectGUID of a specific group object.

When they refer to extended rights, it is the rightsGUID attribute on the
various objects in the extended rights container.

If you look in the MSDN reference at the schema documentation, you will see
that each one has a GUID associated with it. They call it "system-Id-Guid"
in the MSDN docs for some reason. But anyway, that is the same as the
schemaIDGUID and is a way to look that stuff up. Those GUIDs are fixed,
meaning that they do not vary between instances of AD.

Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Post by Stephen Engle
Will the Active Directory material tell me about what GUIDs apply to
things like 'group objects' which I have come to find out is not the GUID
for a 'group' schema object. I take it that there must be some built in
GUIDs that have to do with things like that. On the current object I'm
looking at, the schema id for 'groups' is referenced in Active Directory
Users & Computers as 'This object only' which makes sense. But then 'group
objects' is some other GUID not equal to the GUID of 'a' group object.

Post by Joe Kaplan
You probably want to look at the schemaIDGUID attribute on all of the
schema objects in the schema. It is actually documented in the MSDN AD
schema documentation as well, but sometimes it is faster to search for it.
Additionally, some of those objects might be extended rights. Those
don't point to schema objects, but instead point to objects in the
Extended-Rights container in the configuration partition. They are
indexed by the rightsGuid attribute (instead of the schemaIDGUID).
I also recommend reading all of the MSDN AD documentation on controlling
access. It is a little dense, but very helpful with this stuff.
If you are a .NET developer, there is a short program in chapter 8 of my
book that converts between the GUID and friendly names for both types of
objects. You can download the sample code directly from the link in my sig.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

Post by Stephen Engle
I am trying to determine what grants a particular object type a security
right in Active Directory. So far, I have discovered that each ACE (such
as ACCESS_ALLOWED_OBJECT_ACE) in a security ACL can have an object type
assoctiated with it. That object type determines what kind of object the
ACE applies to or inherits to. What I cannot find, is a list that tells
me what GUID goes with what object type.
I think for instance, that 00000501-0500-1500-00002A62294B pertains to
group objects. But I do not know, except through a lot of
experimentation, what GUID indicates what kind of Active Directory
object an ACE will apply to.
Does anyone know where such a list might be found? Or at least what
part of Active Directory might tell me what GUID will be associated with
a particular object type?
Thanks.