Very true. Everyone get's [B]rowse object rights from the fact that they are included as a member of the [PUBLIC] trustee which covers everyone authenticated and those that are not. Your workaround was a little inaccurate. Just removing the [PUBLIC] trustee as a trustee of [Root] will remove NDS functionality of your users. What I suggest to most people is that they remove the [PUBLIC] trustee and then make [Root] a trustee of itself and then give [Root] Browse rights to itself. This gives users the ability to browse the tree, not loose any functionality. Now they have to authenticate to see the tree rather than just attaching. Hope this clears things up. BTW I wouldn't class this as a security problem, depending on your site you may want [PUBLIC] to be a trustee of [ROOT] if you don't want that do what I stated above. Michael
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:17:03 PDT