This is a quick post to show how to display the permissions that will be assigned by the SDProp Process.
The SDProp process uses the AdminSDHolder container object as a template for the permissions that will be assigned to any users or groups that are protected by the SDProp Process. For more details on the SDProp Process see the SDProp Option. The permissions assigned to the ADminSDHolder are used to replace the existing permissions when an object first comes into scope, or if the permissions of an existing in scope object are changed.
Using the NetTools Permission Browser option (formally - ACL Browser) is it very simple to view the permissions. In the left hand pane navigate to the Access Control - Permissions Browser option.
Click on the Refresh button, this will display the directory tree, navigate down the tree to CN=System, CN=AdminSDHolder. With the AdminSDHolder object selected the permissions will be displayed in the middle pane:
We can use the Permission Compare feature to confirm that the permissions have been applied to a protected object. In the tree view of the Permissions Browser right click on the AdminSDHolder node and select Select Left SD to Compare
Using the Quick Search option we can search for a protected group i.e. Domain Admins.
From the search results right click on the domain admins group and select Compare to 'AdminSDHolder' SD
This will display the Compare Permissions dialog, allowing you to confirm that the AdminSDHolder permissions have been applied to the Domain Admins group, you can repeat these steps to confirm any of the users or groups that are protected by the SDProp process.
Also See