>> English? Is that what we are supposed to be speaking? >> I speak a red neck northern lower Michigander form of North American. Anyone >> want to go smelt dippin? How about goin' and snagging >> us some suckers? Or >> fishing fer bullheads, I got the nightcrawlers all ready. Course we could >> always hit the crick lookin for brookies and >> crayfish too... We had some >> good viddles for supper last night, we had dandilion wine with dandilion >> greens and snapper soup, Uncle >> >> Herbert cleaned the snapper shell up so >> he can use it for a hat. >> Hehe. dictionary please! ;-) >> BTW, what's a meta for? <eg> don't know.... get rid of it with the meta data cleanup procedure ;-) #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 7/21/2005 11:34 PM To: 'Send - AD mailing list' Subject: RE: [ActiveDir] [OT]Delegation of privilege English? Is that what we are supposed to be speaking? I speak a red neck northern lower Michigander form of North American. Anyone want to go smelt dippin? How about goin' and snagging us some suckers? Or fishing fer bullheads, I got the nightcrawlers all ready. Course we could always hit the crick lookin for brookies and crayfish too... We had some good viddles for supper last night, we had dandilion wine with dandilion greens and snapper soup, Uncle Herbert cleaned the snapper shell up so he can use it for a hat. Hehe. Yann, don't worry. I figure you speak my native language far better than I speak your native language. I am working on a book though, so I guess I should be more careful with when I say "in my book". It would be easy for someone to think, hmmm cool, joe is going to put this in his book, another reason to not buy it. I am refreshing an AD book, it doesn't much speak about the underlying OS as I am not much caring about the underlying OS. If AD ran on FreeBSD I might try working on it there. BTW, what's a meta for? <eg> joe P.S. I caught Dean spelling humour as humor a little while back. I had to catch it and correct it for him. ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean Wells Sent: Thursday, July 21, 2005 5:07 PM To: Send - AD mailing list Subject: RE: [ActiveDir] Delegation of privilege Fear not, joe's knowledge and use of English is only marginally better than yours and he's been at it for decades ... PS - I'm just teasing for those that didn't catch that ;o) -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> http://msetechnology.com <http://msetechnology.com/> ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Thursday, July 21, 2005 5:00 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Delegation of privilege OOOooopppsss ..... sorry... i did not understand joe's metaphors.... i'm a bit ashame :( So please, do not laught at me, i try my best to improve my english :o) Now it is time for me to go to the next chapter of my english training: Chap 3 "Understanding metaphors" :-) Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de Rick Kingslan Date: jeu. 21/07/2005 22:20 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delegation of privilege >> "You honestly have two real answers in my book" joe currently has one book >> (in process) - and chapters in others. :o) When he uses the phrase above, he is saying - "To my way of thinking, best practices say you have two things you can do" English is a very strange language, and then us 'native speakers' go and mess it up even more with metaphors and analogies. ;o) Rick ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Thursday, July 21, 2005 3:04 PM To: ActiveDir@mail.activedir.org Subject: RE : [ActiveDir] Delegation of privilege Hi joe, I now realize that my question was not safefull in an AD design. I wanted to do the same as a NT4 domain where it is (not very sure, but i think it is) possible to give someone admin privilege on only one DC. I thought i could do the same thing with AD 2003. Yes this DC is also file&print server, but for more secure operations, we will probably (and certainly) move this role to a another member server, and so give THAT user server op privilege :) Anyway, u said "You honestly have two real answers in my book". May i ask u what is the title of your book ? is it an AD or/and w2k3 book ? I would be interested about it's content... Cheers, Yann ________________________________ De: [EMAIL PROTECTED] de la part de joe Date: jeu. 21/07/2005 02:37 À: ActiveDir@mail.activedir.org Objet : RE: [ActiveDir] Delegation of privilege Sakari, you are scaring me here... Yann, you are basically saying. "Hi, I need to give someone I don't trust enhanced rights on only a single domain controller so they can not hurt other domain controllers.". This is not really possible. You can do a lot of one of delegation pieces but you aren't really doing a whole lot to protect yourself from the fact that you don't trust this person to have access to all of your DCs. Once on the one DC, one of many techniques can be used to get themselves access to the rest. You honestly have two real answers in my book. 1. Break the work up into something the non-trusted person can do and the rest is given to a DA to do. 2. Find some other way to do the work, usually some form of proxy based solution that has rules you can apply so the person can't just do what they want, but instead only what you allow them. Of course the other thing to do is not do what it is you are doing with that DC which is probably something like sharing files or printers or something like that. joe ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Sakari Kouti Sent: Monday, July 18, 2005 6:01 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Delegation of privilege Hi Yann, You could grant your user those privileges that are listed as User Rights, by applying a corresponding Group Policy Object to only one DC. However, this is probably not enough for you. For example, you cannot grant a privilege to format hard drives or share folders this way. Yours, Sakari ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of TIROA YANN Sent: Monday, July 18, 2005 8:39 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Delegation of privilege Hello AD Gurus :) I would like to give to one of my user "server operator" privilege on only one DC, and not the whole DCs of my AD 2003. I know that DCs do not have sam locally, and the only way to give this privilege is to use the Built-in Groups in the Built-in Container. But doing this allow my user to be server op for all DCs in my domain. The purpose of my question is; => to give one user the privilege to fully manage *only one* DC with "server operator" privilege, without having the right to use MMCs such as ADUC, Schema, dssite, replmon, repadmin commands. Is this possible ? Thanks for input. Cheers, Yann This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<inline: winmail.dat>>