what's the problem Joe? even Cats could be members of Universal Groups ;-)
/Guido -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sonntag, 16. Mai 2004 16:06 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question) Oh this is probably going too far but..... No, that three-day old stanky can I would call Exchange. It seems to be necessary even though there are other things you can use but seems to be the most efficient and handy of the bunch, it just smells really bad when you have to use it and you always seem to cut yourself when opening it up to use. :o) Personally I use dry catfood, self contained, doesn't make a huge mess, good for the cat's teeth and doesn't stink up the house. It may not be the cat's favorite but it gets the cat what it needs. Sort of like POP3/SMTP Standards based email. DCDIAG would probably be your Dr. Spock's book for cats. The laxetone from the cat world (used to clean out the intestinal track of various collected debris) would be similar to oldcmp which blows away old computer accounts... Adfind would be like saying here kitty kitty... Where is that d**** cat!?! Unlock would be like when you accidently shut the cat in the closet and you discover it and have to let her out. OK this is going down hill. The Exchange piece was fun... Can't think of anything for Universal Groups for Guido. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Sunday, May 16, 2004 9:43 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question) So what you're saying is that the Deleted Objects container is sort of like a litter box, and you have to clean out the litter box occasionally? If that's the case, then what in AD is like the smelly 3-day old can of cat food with the nasty crust on the top? DCDIAG? -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 16, 2004 6:29 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question) Wow I just reread this and thought.... I need to stop writing like this or I am going to be like Wook.... :o) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Sunday, May 16, 2004 9:02 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question) LOL! You see, you have to groom cats like you groom Active Directory. If you don't take care of the excess crap in AD it will barf on you, just like a cat will barf if you don't take off the excess fur with brushing. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil Kirkpatrick Sent: Saturday, May 15, 2004 11:57 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Cats & dogs (was A root dc question) Oh my, this has flamewar written all over it. Oil and water, Palestinians and Israelis, Microsoft zealots and Novell bigots, dog people and cat people. This thread can go nowhere but downhill. But what the heck, I'll give it a little shove. Joe, I really have trouble putting "refined" and "yakking up a hair ball" in the same paragraph. The way I see it, cats are a lot like mop heads. You can wash the floor with 'em, but it's a lot easier if you stick a handle up their a** first. -gil -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert Sent: Saturday, May 15, 2004 8:20 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Cats treat humans like slaves, now a Dog, it knows how to greet you at the door after a rough day in the forest. Ever come home after a rough day and have the Cat greet you with anything other than distain? Dan -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, May 15, 2004 11:10 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Cats rock. They play with you, you just don't usually realize that they are playing because they don't come up and drool on you. A dog is like beer, harsh and in your face. A cat is like wine, very smooth and gentle and refined. I can leave the house for days and know the cat will be fine and won't have destroyed anything other than walking back and forth across my Zen garden on my computer desk. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, May 13, 2004 5:00 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Never liked cats much - what fun are they? At least a dog will play with you. I nearly whacked one with a paint roller whilst painting the front porch a couple of years ago. The school drama department took it upon themselves to paint a very nice recital hall (not auditorium/theater) which had white walls and a gloss varnish floor black. Since they destroyed the space, I'm trying to start a movement whereby anyone who does a show in the space is required to paint something on the walls. --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 11:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question I think he was apologizing for working on Novell... :oP Personally I am sitting here posting because I am waiting for a second coat of paint to dry. Before I take off some masking tape and put my furniture back in place. And I must tell you, it is a joy to paint with white paint when you have a curious black cat. I have little white cat footprints across my kitchen floor now and a cat that is no longer all black. Ever see a black cat with a white nose and white pads, pretty funny. She sneezed paint all over my leg too. As for the learning part, yes learn away. That is why some of us give very long winded drawn out responses in the first place. A lot of these questions could be answered with Yes,no,maybe, don't be stupid, or go hire someone who knows but the goal is to increase the knowledge base around Windows AD so that it gets run properly and less is ascertained to be Magic. A lot of people think I give long responses because I like to talk (or write). Actually it is because I like to hear others learn. The more everyone learns about this stuff, the better for all of us as we will all be watching out for the same things and beating vendors into doing things right. I actually had a recent near experience with a vendor that had previously encountered some knowledgeable AD guys at Cisco. When our people encountered them, it was like, wow, your stuff actually looks good! Saved some time and headaches. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Thursday, May 13, 2004 11:14 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Finally, i want to apolgize again. i came from a Novell enviorment and inherited my current AD set up and i'm afraid i'm using you as a learning tool to get deeper into AD internals and i want to apologize for wasting your time. I've read robbie allen's Active Directory and most of the Distributed Sytems Guide of the Windows 2k resource kit and both while excellent don't seem to answer all my questions esp, things like this post. Perhaps you could just recommend a book or site? thanks for your time, everyone. I'm not sure why you're apologizing for wanting to learn. I don't think anyone who actively participates on this mailing list is here just to shoot the breeze & dick around, but rather to learn and share knowledge. So, I say fire away, I'll certainly jump in on a thread if it's something I know about... --Brian Desmond [EMAIL PROTECTED] Payton on the Web! Http://www.wpcp.org v: 773.534.0034 x135 f: 773.534.0035 -----Original Message----- From: Kern, Tom [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question 1. i'm not really interested in hacking my AD, so i'm not asking for that bit of info. i just wonder why it exists and i'm sure googling it will turn up alot of "how to's", which makes me wonder why MS doesn't have a fix for it? 2. so aside from politics or the inability of corps to collaspe thier NT domain structure into OU's, you're saying there really is no reason for multiple domains at all(or maybe to limit rep traffic of the domain naming context across the forest?)? 3. unfortunately our root domain is in Maryland and we are in New York, so we can't really be sitting next to each other. Finally, i want to apolgize again. i came from a Novell enviorment and inherited my current AD set up and i'm afraid i'm using you as a learning tool to get deeper into AD internals and i want to apologize for wasting your time. I've read robbie allen's Active Directory and most of the Distributed Sytems Guide of the Windows 2k resource kit and both while excellent don't seem to answer all my questions esp, things like this post. Perhaps you could just recommend a book or site? thanks for your time, everyone. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 9:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Anyone with rights to get to mess with any domain controller in a forest can compromise the forest, again a domain is not a security boundary. Someone may not have the knowledge which appears to be the case here (and I am not going to give that knowledge out), but it is possible just the same. This falls in line with something I said earlier to another post... Just because someone doesn't know how to get around certain security precautions doesn't mean others don't. A domain controller is a very special device on a network, if compromised, you could have a forest wide issue. The number of domain admins in a forest honestly should equal the number of enterprise admins in the forest. That number should be small. Less than 10 at the largest. Less than 5 is much better. They should also all be under the same management chain and even better sit within walking distance of each other so everyone is on the same page. I often hear.... that can't be done... Sure it can. I've done it in a rather large globally distributed company. The delegation model is very strong in AD, most people should have delegated rights. Just takes work. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Thursday, May 13, 2004 9:16 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question 1. what do you mean by "an admin in any domain has the power of being an Entrprise admin"? i, being a domain admin of a child domain, do not have the power to put myself into the Enterprise admins group. A domain or enterprise admin in the root domain would have to do that for me. Also, as a domain admin in a child domain, i'm kinda limited to the damage i could do to the forest, no?I mean, i could screw up my domain royally, but i can't really do anything to screw up the forest( and completly hosing my domain would only cause replication errors generated in event logs and some repointing of exchange servers to different GC's). i can't modify the schema or install an app that does it for me. i can't link a wrong headed GPO to a site or create one on the root or any other domain. i can't create a site or subnet. And if a crashed and burned all my DC's wouldn't AD remove them permantely after 60 days? I'm sorry to belabour the point here and waste your time, but i really want to make a good case for our IT dept to have enterprise admin access and show why multiple seperate domain admins for multiple domains is not a good idea. as well as further my knowldge of what can and can't be done and what can and can't be screwed up. i'd like to convince everyone that playing nice is in our best interest. thanks, and again, i apologize for rehashing old posts. -----Original Message----- From: joe [mailto:[EMAIL PROTECTED] Sent: Thursday, May 13, 2004 8:34 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] A root dc question Wow this is like déjà vu, I swear we went through this whole thought process a month or two ago on here.... The quick summary (no I will not spout the whole thing, it should be in the archives) of what I recall 1. An admin in any domain has the power of being an Enterprise Admin, domains ARE NOT security boundaries. Each child domain should not have different admins because that can result in chaos and possible danger to the entire forest. 2. You can not do DR testing with just a child domain. 3. Either your corp IT has to be involved with your DR testing or you should redesign into multiple forests. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom Sent: Wednesday, May 12, 2004 4:37 PM To: ActiveDir (E-mail) Subject: [ActiveDir] A root dc question My apologies if this seems basic and/or silly. Aside from creating new domains or modifying the schema, why would an admin need access to the root dc of a forest(the schema, domain namming master)? furthermore, why would an admin in a child domain need enterprise admin privilges? I only ask because we had issues with our test DR run wherein we didn't have access to the root domain and/or a test root domain vmware'd on a laptop and it ended miserably. i am in the process of convincing the higher ups in my corp of letting our IT dept have enterpise admin access. i'd like to make a case for us as to why we would need this accont with concrete examples(aside from the DR one). ones that a semi tech aware CIO could relate to. What other compelling reasons would one need these rights for in day to day(or not so day to day) AD administration? we are a multi-domain(14) win2k forest in mixed mode with exchange2k in native mode. Thank you in advance for any assitance. List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/