No announcement yet.

legal grounds for AD Schema modification

  • Filter
  • Time
  • Show
Clear All
new posts

  • legal grounds for AD Schema modification

    My question consists of two parts:

    1) when I plan to use AD for the product to be used within my company and need to adjust the AD Schema by, e.g., adding new class and new attributes for this or other classes, why I need to go through ISO process fro obtaining a unique Object ID for my new class?

    If this requirement is based on the concern that my new class's ODI would collide with already existing OID, I believe, it is in my power and authority to control ODI uniqueness. Any explanations and advices or references to the real-life use cases will be very helpful for me. Thank you in advance.

    2) Let's assume that in awhile my company wants to sell the product with to somebody but the product requires modified AD Schema as described in the question 1). Will my company face any legal problems with regard to the modified AD Schema? Also, any input into this issue will be highly appreciated.

    - Michael

  • #2
    Re: legal grounds for AD Schema modification

    Yes, you do need to have your own ODI number for custom classes and attributes for AD.

    A unqiue ODI is requirement to prevent your ODI from conflicting with other ODI by other companies esp. if you plan on selling the solution outside of your organisation as schema changes cannot be removed.

    If youe ODI conflicts with another ODI and messes up their AD domain, then I would consider it to be the purchases rights to damages as they would have to restore their AD from scratch - not a thrilling prospect for any organisation.

    Getting an ODI is free of charge and only takes a couples of days to complete. I got mine from They call them PEN numbers (Private Enterprise number).


    • #3
      Re: legal grounds for AD Schema modification

      1- As you rightly said, you would need to generate a unique OID in order to avoid any problems in AD.
      Note that we are talking about the AD schema here, which is a Microsoft product and only provides the infrastructure for your IT services/provisions.
      I think they are within their rights to take some sort of ownership of the process and not the developers like yourself.
      When you extend the Ad schema, you do it to better serve your application and its intended users and in your organisation you can do that without any limitations I think.

      2- The changes will only affect the local AD database and providing the user have agreed to install the application you offer (which, I am assuming will perfom a schema modification) then, in effect they do the schema modification themselves.
      In terms of where you stand legally if that modification will cause any problems, I don't know. You yould be better contacting MS I think.
      There is a whitepaper from MS intended for developers. see if it helps
      Caesar's cipher - 3




      • #4
        Re: legal grounds for AD Schema modification

        I would rather agree with L4ndy than with pjhutch. Since I have bought the product from MS, I am free to do with it anything I want in my organisation. That is, to extend the AD Schema I am not obliged to go to ISO. I can prevent resolve a ODI conflict by myself, this is my risk and ISO does not have a play here.

        Moreover, I, probably, need more thanone ODI becuase I wan to create several different classes. (Can I do it from one ODI?)

        Then, if the product is sold, I am, my organisation is responsible for potential demage of my buyer's system, not Microsoft. So, my question was whether I violate a MS licence on AD when I sale my product with the AD extension.

        If I plan to participate in the public MS network (with MS Passport, e.g.), I certainly have to follow the network owner's rule (ISO, etc.).

        So, I am looking for if all this 'processes' are about uniqness of ODI and notabout something else...

        Anyway, thanks a lot for your suggestions, chaps.

        - Michael


        • #5
          How to create a class type?

          I think some of you have dealt with this issue in the past. I looked through the Forum log and did not find the answer however.

          Here is my scenario: I have to create an RBAC framework for the future Security Admin. This framework comprises:
          - an Actor = AD 'user' type
          - a Role = AD 'group' type
          - an Asset = AD class, which is limited by the pre-set list of types like PRINTER, USER, COMPUTER, etc.
          - an Access Right of the Role = not sure how to do this in abstract manner regardless particular Asset (to-be protected object).

          So, I am looking for a help on how I can create my custom type of the of the class that would appear in the list of possible types of the future AD classes (my future Assets). In other words, I am looking for creation of a template the future AD classes would be created after. This template must contain certain set of AD and custom attributes.

          Also, the problem with the Access Rights - due to the nature of my business environment, my Assets change frequently and I do not like associating Access Rights with them; rather opposite, I would like to have a Role with pre-defined Access Rights that later may be tied with particular Asset. When the Asset chnages, the Role re-associated with another Asset, and so on.

          Is it doable in AD or there is better (easier and more flexible) tool for .NET in the area of RBAC (and, probably access rules, like XACML, e.g. )?

          - Michael


          • #6
            Re: How to create a class type?

            Merged with one of your other threads on same topic
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd

            ** Remember to give credit where credit is due and leave reputation points where appropriate **