[ActiveDir] openLDAP for Windows 2003 active directory
Hi, Can someone pls tell me how can I use openLDAP on Linux to query the Windows 2003 active directory data? I was able to use my old openLDAP script to run against Windows 2000 before, but after I upgrade my Windows 2000 to Windows 2003, the script does not work any more. Can someone pls tell me what could be wrong? The field I am accessing is proxyAddresses which should be common and should not bechanged during two versions. Sample code would be very helpful. Thanks a lot. Po-Shan. Yahoo!
RE: [ActiveDir] Add trusted sites to IE via Policy
Hello Steve. This can be found under the Default Domain Policy, User Configuration/Windows Settings/Internet Explorer Maintenance/Security... then on the right side, Security Zones and Content Ratings. From there you can set the sites in any manner that you need. HTH. Charles -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 17:42 To: [EMAIL PROTECTED] Subject: [ActiveDir] Add trusted sites to IE via Policy I need to add a trusted site to all corporate users. I thought that you can do this through Group Policy, but for the life of me I can not remember. Could someone point me in the right direction? If there is an ADM that needs to be added to accomplish this? Etc.. Thanks, Steve List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] SUS does SPs now
I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my servers to download and notify, not to automatically install and boot. I keep control that way. Ken A., MCSA, MCSE -Original Message- From: Henderson Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now As it will only run on W2KSP2+ Clients SMS is still needed for NT4 Clients. But another question, how many here will setup SUS SP updates to Servers? i.e 100 servers all being rebooted at 3am Sunday morning ?? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 09:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUS does SPs now Have just picked up on this thread of SUS - looks a real winner would be glad for the views of the positioning of this product relative to SMS ?? GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 11:44 PM Subject: RE: [ActiveDir] SUS does SPs now a complete rollup with every patch released for a particular OS. There is actually a current WU beta along those lines... If history repeats, it may be available sooner than later -Original Message- From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:17 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now You should see a roll-back/recall in SUS 2.0. I didn't hear about the SP's being available in SUS until this morning when I saw that it was something that was available to be published, so something or someone must have pulled the trigger for this to happen. Being an Enterprise customer of Microsoft, they usually go way out of their way to ensure that we know about major upcoming changes before going live with them. I guess Microsoft is tired of getting slammed with deployment problems for SP's. For anyone not using SMS, UpdateExpert, or something else along those lines, deploying SP's
RE: [ActiveDir] SUS does SPs now
Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, September 20, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my servers to download and notify, not to automatically install and boot. I keep control that way. Ken A., MCSA, MCSE -Original Message- From: Henderson Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now As it will only run on W2KSP2+ Clients SMS is still needed for NT4 Clients. But another question, how many here will setup SUS SP updates to Servers? i.e 100 servers all being rebooted at 3am Sunday morning ?? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 09:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUS does SPs now Have just picked up on this thread of SUS - looks a real winner would be glad for the views of the positioning of this product relative to SMS ?? GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, September 18, 2003 11:44 PM Subject: RE: [ActiveDir] SUS does SPs now a complete rollup with every patch released for a particular OS. There is actually a current WU beta along those lines... If history repeats, it may be available sooner than later -Original Message- From: Crenshaw, Jason [mailto:[EMAIL PROTECTED] Sent: Thursday, September 18, 2003 1:17 PM To: '[EMAIL
RE: [ActiveDir] Add computers to domain permissions
Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content, (as did a few others here) and it's good - lots of code and geared towards Windows 2000/2003. It's called Active Directory Cookbook and is being published by O'Reilly. http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1064009830/sr=1 -3/ref=sr_1_3/103-2178319-6639029?v=glance The other one that I REALLY like as well is Inside Active Directory. This book has an absolutely FANTASTIC chapter on AD security, permissions, etc. Overall, this is one of the best AD books I have (I don't have Robbie's in hand yet;-) ) This book has been published by AW. @nd Edition in the works - I'd say late this year. http://www.amazon.com/exec/obidos/tg/detail/-/0201616211/ref=pd_sbs_b_3/103- 2178319-6639029?v=glances=books Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, September 19, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Rick - this brings up an interesting point...it seems like every time I want to do something like this (figure out exactly what permissions to set to allow group X to do task Y and no more), I have to hunt, dig, experiment, etc. I don't own every AD book ever printed, and barely have time to fully understand what's in the ones i have. Are there any good references that provide a 'cookbook' of common tasks and the minimum permissions required for them ? Dave -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Every now and then this mass of e-mail I keep around has value. I'd responded to a similar question a few months ago - so here is the response to that question: SNIP What you will likely need to do is to proceed along the following lines: 1. Right click on the OU of your choice and go to Security. 2. Select Advanced / Add / Select the group that you want to accomplish the task 3. By default, they should have READ, etc. Scroll down and select Allow Create / Delete Computer Objects 4. In the 'Apply on to:' dialog, select This Object and All Child Objects. Hit 'Apply' to save what we have so far. 5. Click 'Add' again in the Advanced Security dialog UI. Select the group for the task (same group as above). 6. In the 'Apply on to:' select 'Computer Objects' and grant Full Control 7. Click 'OK' until you completely exit This should do the following: Allow the selected group to Create and Delete Computer Objects within the OU in which this delegation was done (yep - still delegation - not done through the Delegate Control selection, but this *IS* what goes on behind the scenes anyway), then we delegated the permission to fully control Computer Objects - allowing the ability to create the various attributes that make up a computer
RE: [ActiveDir] SUS does SPs now
Yeah, no IIS on a DC. Also no magic updates on DC's. Do them slow and purposely and methodically. Last thing needed is to walk in one morning and find out your automatic patch system just loaded something that blue screens DC's to your entire domain and not being able to log on anywhere to do anything about it. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 2:39 PM To: [EMAIL PROTECTED] Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, September 20, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my servers to download and notify, not to automatically install and boot. I keep control that way. Ken A., MCSA, MCSE -Original Message- From: Henderson Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now As it will only run on W2KSP2+ Clients SMS is still needed for NT4 Clients. But another question, how many here will setup SUS SP updates to Servers? i.e 100 servers all being rebooted at 3am Sunday morning ?? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 09:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUS does SPs now Have just picked up on this thread of SUS - looks a real winner would be glad for the views of the positioning of this product relative to SMS ?? GT -
RE: [ActiveDir] Add computers to domain permissions
I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing Inside Active Directory 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content, (as did a few others here) and it's good - lots of code and geared towards Windows 2000/2003. It's called Active Directory Cookbook and is being published by O'Reilly. http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1064009830/sr=1 -3/ref=sr_1_3/103-2178319-6639029?v=glance The other one that I REALLY like as well is Inside Active Directory. This book has an absolutely FANTASTIC chapter on AD security, permissions, etc. Overall, this is one of the best AD books I have (I don't have Robbie's in hand yet;-) ) This book has been published by AW. @nd Edition in the works - I'd say late this year. http://www.amazon.com/exec/obidos/tg/detail/-/0201616211/ref=pd_sbs_b_3/103- 2178319-6639029?v=glances=books Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, September 19, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Rick - this brings up an interesting point...it seems like every time I want to do something like this (figure out exactly what
RE: [ActiveDir] Add computers to domain permissions
I have been starting to wonder if we need to write an MVP book. Working Title: Everything I needed to know I learned in the newsgroups... Chapter 1 - Firewalls, what do you mean you aren't running one? Chapter 2 - So you say AD is slow... How's your DNS? Chapter 3 - Why Exhange should be rewritten from the ground up. Chapter 4 - And why aren't Linux security holes making the 6PM news? My chapter would be Chapter xxx How to run an AD Enterprise from the beaches of Cozumel while debating the all encompasing question, one space or two after a period. Of course that work would have to be subsidized by the publishing company. I figure I would have a good 5-10 years of research for that one to get it right. Hey BTW speaking of blowing timelines, that review for IAD was due yesterday... You misread, the Robbie and Richard Enterprise Services book was the one I called deep. The Cat book is a good overall welcome to the world of AD, now that you are here let me point out where the restrooms and the kitchen are so you can be on your way. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 6:46 PM To: [EMAIL PROTECTED] I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing Inside Active Directory 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content,
RE: [ActiveDir] Add computers to domain permissions
You misread, the Robbie and Richard Enterprise Services book was the one I called deep. The Cat book is a good overall welcome to the world of AD, now that you are here let me point out where the restrooms and the kitchen are so you can be on your way. Yep - right you are. I guess I need to pick that one up. I'm going to Borders tomorrow anyway, might be on the list. Yep - it was due yesterday I know one person who got their pieces in on time. ;o) And, as to a MVP Book - Heh I've tried it before. I don't have the discipline Or, at present, a job that leaves me alone long enough to manage a wife and raising three kids. We're fairly dysfunctional. (Oh, let me clarify - at work we're dysfunctional The family is fine.) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 7:06 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions I have been starting to wonder if we need to write an MVP book. Working Title: Everything I needed to know I learned in the newsgroups... Chapter 1 - Firewalls, what do you mean you aren't running one? Chapter 2 - So you say AD is slow... How's your DNS? Chapter 3 - Why Exhange should be rewritten from the ground up. Chapter 4 - And why aren't Linux security holes making the 6PM news? My chapter would be Chapter xxx How to run an AD Enterprise from the beaches of Cozumel while debating the all encompasing question, one space or two after a period. Of course that work would have to be subsidized by the publishing company. I figure I would have a good 5-10 years of research for that one to get it right. Hey BTW speaking of blowing timelines, that review for IAD was due yesterday... You misread, the Robbie and Richard Enterprise Services book was the one I called deep. The Cat book is a good overall welcome to the world of AD, now that you are here let me point out where the restrooms and the kitchen are so you can be on your way. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 6:46 PM To: [EMAIL PROTECTED] I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing Inside Active Directory 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces
RE: [ActiveDir] SUS does SPs now
I agree with that premise of no SUS on a DC, though I have no fear of IIS on a DC. Domain controllers are special and should not get auto-anything in terms of updates or other changes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, September 20, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my servers to download and notify, not to automatically install and boot. I keep control that way. Ken A., MCSA, MCSE -Original Message- From: Henderson Richard [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:13 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] SUS does SPs now As it will only run on W2KSP2+ Clients SMS is still needed for NT4 Clients. But another question, how many here will setup SUS SP updates to Servers? i.e 100 servers all being rebooted at 3am Sunday morning ?? -Original Message- From: Graham Turner [mailto:[EMAIL PROTECTED] Sent: 19 September 2003 09:44 To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] SUS does SPs now Have just picked up on this thread of SUS - looks a real winner would be glad for the views of the positioning of this product relative to SMS ?? GT - Original Message - From: Free, Bob [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent:
RE: [ActiveDir] SUS does SPs now
William, Let me clarify myself: I don't FEAR IIS on a DC. Just from a security perspective, I don't think it's smart. I don't see any reason to put a known problem on my domain's authentication source, among other things. Now, I might change my mind if we're talking about IIS 6.0, but likely not. Least privilege access. IIS is not needed on a DC, and is not part of what a DC needs to do what it is designed for. But, that's just me. Wonderful thing about freedom - each is free to do whatever he wants. As long as it doesn't impede on the freedom of others, have at it. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of William Lefkovics Sent: Saturday, September 20, 2003 8:01 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I agree with that premise of no SUS on a DC, though I have no fear of IIS on a DC. Domain controllers are special and should not get auto-anything in terms of updates or other changes. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 11:39 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Raymond, Good question - I hope that I can provide a good answer. I would NOT suggest or recommend deploying SUS to a DC for one simple reason: It requires IIS, and for security purposes, I will not deploy IIS onto a domain controller - which clearly dismisses a DC from hosting SUS IMHO. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Raymond McClinnis Sent: Saturday, September 20, 2003 12:36 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I have a somewhat silly question on SUS... Would anyone recommend against installing it on a DC? And if so, I curious as to why (other that the obvious things, like it's a DC :) ) Thanks, Raymond McClinnis -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Shaff Sent: Friday, September 19, 2003 12:54 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now You will have to setup two SUS servers. One in a dev environment and one on the corporate network. The dev SUS will get the updates directly from MSFT and then once approved, the other SUS will be able to pull those updates for the corporate clients. Steve Shaff Active Directory / Exchange Administrator Corillian Corporation (W) 503.629.3538 (C) 503.807.4797 (F) 503.629.3674 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 10:47 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Yes. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 12:28 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Aren't we saying the same thing, then? Updates deployed to test environment, then approval, then deployment to production. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 11:45 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now Not if your SUS server is used to supply the fixes to your test environment. Kenneth W. (Ken) Adams, MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 9:22 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now The approval in the change management process should be before the update is even deployed -- after testing against applications, services, infrastructure, rollback, etc. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 8:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now It's also good if you have a Change Management process that requires a CM record be created and approved by a review board before the actual installation occurs. Ken A., MCSA, MCSE -Original Message- From: Rod Trent [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 7:49 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now That's good if you have a minimal number of servers. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Adams, Kenneth W (Ken) Sent: Friday, September 19, 2003 7:42 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] SUS does SPs now I'll be setting up SUS SP updates to servers, only I set my
RE: [ActiveDir] Add computers to domain permissions
Thanks for the kind words guys. The Active Directory Cookbook (the tuna book :) is due to ship on Tuesday - Sept 23rd. It is intended to answer many of the How do I ...? questions you might have about AD (at least as many that would fit in 600 pages). Here is the TOC: http://rallenhome.com/books/adcookbook/toc.html Here is a sample chapter: http://www.oreilly.com/catalog/activedckbk/chapter/ch08.pdf I'm taking requests for the next edition and for any suggestions I include I'll be sure to mention the requestor in the acknowledgements :-) Regards, Robbie Allen -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Saturday, September 20, 2003 6:46 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing Inside Active Directory 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content, (as did a few others here) and it's good - lots of code and geared towards Windows 2000/2003. It's called Active Directory Cookbook and is being published by O'Reilly. http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1 064009830/sr=1 -3/ref=sr_1_3/103-2178319-6639029?v=glance The other