RE: [ActiveDir] Schema Question
MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Setting Wireless Config via GPO
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hi all, I am following this thread with interest as I am in the middle of preparing our domain for this also. I have one (possibly redundant) question, below in line. On 20 Apr 2006, at 14:09, Jef Kazimer wrote: Dave, The certs can be used in fifferent ways. If you are using EAP-TLS which uses the Certs to authenticate the user and the server, you will need a CA to issue this. This would require a PKI solution to be in place. While not hard or impossible in 2003, just something you want to be cautious about. using EAP-PEAP method, the Cert is only used to identify the server to the client, and open a secure tunnel so the password credentials can be sent over. Once the user is authenticated, then the connection is secured through the 2 choices of wireless encryption. You do not need a CA For this, and can request an IAS certificate from Verisign I believe still. Is there actually a requirement for the cert? From an operational POV. Can I get away with not using a cert from VS? With IAS as the middleman between the WLAN device and the directory, you can set Access policies from as simple as If useri s member of domain grant access, else deny kind of stuff, to more granular rules. There is a nice MS doc, showing how this can be done, from building the 2k3 domain from scratch, to actually applying the group policy entries. Now one thing though, where I am, we use Dell for our laptops which come standard with the built in WiFi Modem (1450 card). Dell has their own client tool that can utilize PEAP as well. The one benefit is the Dell cllient does have a GINA addition, which allows a pre-logonWLAN authentication. Some people like this so their logon script runs, etc. So while not needed, it's a 3rd party tool some people like. It also allows us to do EAP-PEAP on WIndows 2k boxes which do not support it natively. has anyone applied WiFi GPs with Toshiba laptops? Specifcally Toshiba S100s, and (I think) the new M5s? tia, bernard - --- Bernard Tyers Dublin 1 Ireland e-mail: [EMAIL PROTECTED] sip:[EMAIL PROTECTED] skype: bernard_tyers -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.1 (Darwin) iD8DBQFEpmu2lbEshEwOH3sRAjr3AJ903OIUqOn+nQSLlT+hxvCHUmU7CACeMXfN hX4pyrlIdU0wIEhlQpjAEx8= =SL9K -END PGP SIGNATURE- List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Password Expiration
Title: [ActiveDir] Password Expiration Actually you can't control aging with a password filter, only length, complexity, and history. Lockout and expiration policies are domain wide in Windows 2000 and Windows Server 2003 AD. You can implement a script/process that maintains a 15 day policy for some IDs by marking theuser objectsin some special way[1] (or storing the DN/GUID/SID) in some other store and then scanning for them and checking that their password age is less than 15 and if not forcing the accounts expired. Lockouts are much more difficult to deal with, to the point that it probably isn't worth dealing with it. However combined with the way lockouts are handled in the OS, most companies have ridiculous lockout policies. For instance, if the same bad password is being sent over and over again, what security risk is that other than a DOS attack and why lock the account out or if you have a flood of bad passwords coming in at a high rate of speed from a single IP for a single account or multiple, why not lock out that IP from auth instead of all of the IDs it attacks? So in the meanwhile, if lockout policies have values of less than 15 or sobads they are usually better for locking out normal users than attacks. joe [1] If you do this, do it in a smart flexible way, say have an attribute that indicates how many days old the password can be before expiration or to make the search/expire script/tool easier stick in the date in in8 format that the password should be expired, that way you don't have to enumerate, you can do a straight easy query which is much faster. Alternately I guess that being in a specific OU could be enough and you just check the age of every account in the OU, but then, you are hard coding their max age in the script unless maybe you populate an attribute on the OU or in a separate store that you can check to get max age. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Saturday, July 01, 2006 12:49 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Password Expiration Without a custom password filter of your own or a third party one which does this (they are out there), you dont. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Murtaza MerchantSent: Friday, June 30, 2006 11:28 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Expiration While on the subject of password expiration, I have this requirement at the office. The domain policy on password age is set to 40 days. There is a requirement to have the password age of some user accounts set to a period of 15 days. These user accounts are already grouped into another separate exclusive OU. How can I go about setting the password age only for the user accounts in this OU? Regards, Murtaza Merchant From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]Sent: 26 June 2006 15:41To: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Password Expiration We have a 120 day password expiration GPO. What happens if a user changes their password in the 120 day time period? Do they still get prompted with the whole domain does or do they get prompted 120 days after their reset their password? Thanks. -Christine Christine N. Allen Systems Engineer BMC HealthNet Plan 2 Copley Place Boston, MA 02216 617-748-6034 617-293-4407
RE: [ActiveDir] Schema Question
I agree that MIIS is expensive but the SQL Server requirement is what irks me. We have had this conversation multiple times but if MSFT has to have it on their own tech DB then put it on ESE. Make it black box, you shouldn't have to require a SQL DBA to properly run your AD for their provisioning product. The security model isn't good because now instead of just DAs having extensive rights in the org, it is likely the DBAs will as well through proxy. I haven't really looked hard into compromising MIIS assuming I have DBA level access rights into the SQL Server but I fully expect there are holes. I am semi afraid to start poking into it specifically because I expect to find those holes and hate finding holes (bugs and security issues) in MSFT products because I feel honor bound to chase them into MSFT and find someone to fix them and I don't have the time. But anyway, basic provisioning doesn't require MIIS or any syncing tool. You just need something that could output basic data files for the new objects or the object changes and feed those into basic scripts that validate and shove them into AD. And in front of it you have some basic web page, a web form for a new user with no validation could be done in minutes, if you validate users you add a little javascript or add some code to the backend. And note, this could be done on any flavor web server on any OS, doesn't require Windows. If you aren't big on writing AD Update code you then need a tool that could move that info into the directory and one of the most flexible tools I have seen to date and I have seen multiple times now filling roles like this as well as group management roles is LDSU (http://h20219.www2.hp.com/services/cache/11212-0-0-225-121.html). I only learned about it within the last 18 or so months, I don't recall ever hearing about it prior to that though it was available and used in many large companies. The advertising for it is nil but I know the developer quite well and he is good[1]. If joeware got big enough that I could go hire additional programmers, this guy is one of the guys I would go looking to get. One time (at band camp heh) I got called in to figure out how to make a well known's vendor's auto group management tool work and we only had like a week to figure it out before there were going to be penalties from the customer and the delivery folks had been trying to work out the issues for a couple of months. I spent a day on it trying to reverse how it worked (i.e. I sat down with the tool and manipulated it and watched the network traces - what every good integrator should be doing for every AD Application) and then sent a nice big bulleted list of issues to someone I knew at the vendor who supplied the tool. There were no easy fixes nor workarounds that could be implemented within a week so we switched to LDSU. Within 2 days everything was up and configured and running perfectly. Also run time for batch updates that occurred once per day had reduced from 12 hours to under 30 minutes and that was with the full set of groups, not the small pilot set that couldn't get working under the previous tool. It isn't as full featured and flashy as the big name sync tools in terms of building in workflow and RAD development of rules, etc but it is considerably cheaper than an MIIS or the other tools Brian mentioned. If someone was looking to build a provisioning system quickly and only wanted to worry about the front end initially, this would be a great backend. joe [1] I think he is good both because he is actually very bright and done a great job and because when he doesn't know something, he admits it and goes and finds the answer. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28
RE: [ActiveDir] Schema Question
I never considered that the license cost of MIIS was all that high. Even if you paid list (which not many of the customers I've worked with did), its not a huge outlay. The significant costs are in the analysis, requirements, engineering, and operations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Schema Question
Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call "stratospheric", and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 11:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information
RE: [ActiveDir] Schema Question
I will agree with your take, if you accept that "all that high" is already "too high" for a significantnumber of potential MIIS customers. Add that to the engineering costs, and the strict MS SQL requirement, you will agree that a vast majority of environments that could use MIIS are already pushed out. This is why I stopped preaching MIIS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gil KirkpatrickSent: Sat 7/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question I never considered that the license cost of MIIS was all that high. Even if you paid list (which not many of the customers I've worked with did), its not a huge outlay. The significant costs are in the analysis, requirements, engineering, and operations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information
RE: [ActiveDir] Schema Question
But anyway, basic provisioning doesn't require MIIS or any syncing tool. I just didn't pick up on that angle. Maybe it was because of the "newb-ness" of the OP or the fact that he mentioned ADUC. Anywhoo, you are correct. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Sat 7/1/2006 7:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question I agree that MIIS is expensive but the SQL Server requirement is what irks me. We have had this conversation multiple times but if MSFT has to have it on their own tech DB then put it on ESE. Make it black box, you shouldn't have to require a SQL DBA to properly run your AD for their provisioning product. The security model isn't good because now instead of just DAs having extensive rights in the org, it is likely the DBAs will as well through proxy. I haven't really looked hard into compromising MIIS assuming I have DBA level access rights into the SQL Server but I fully expect there are holes. I am semi afraid to start poking into it specifically because I expect to find those holes and hate finding holes (bugs and security issues) in MSFT products because I feel honor bound to chase them into MSFT and find someone to fix them and I don't have the time. But anyway, basic provisioning doesn't require MIIS or any syncing tool. You just need something that could output basic data files for the new objects or the object changes and feed those into basic scripts that validate and shove them into AD. And in front of it you have some basic web page, a web form for a new user with no validation could be done in minutes, if you validate users you add a little _javascript_ or add some code to the backend. And note, this could be done on any flavor web server on any OS, doesn't require Windows. If you aren't big on writing AD Update code you then need a tool that could move that info into the directory and one of the most flexible tools I have seen to date and I have seen multiple times now filling roles like this as well as group management roles is LDSU (http://h20219.www2.hp.com/services/cache/11212-0-0-225-121.html). I only learned about it within the last 18 or so months, I don't recall ever hearing about it prior to that though it was available and used in many large companies. The advertising for it is nil but I know the developer quite well and he is good[1]. If joeware got big enough that I could go hire additional programmers, this guy is one of the guys I would go looking to get. One time (at band camp heh) I got called in to figure out how to make a well known's vendor's auto group management tool work and we only had like a week to figure it out before there were going to be penalties from the customer and the delivery folks had been trying to work out the issues for a couple of months. I spent a day on it trying to reverse how it worked (i.e. I sat down with the tool and manipulated it and watched the network traces - what every good integrator should be doing for every AD Application) and then sent a nice big bulleted list of issues to someone I knew at the vendor who supplied the tool. There were no easy fixes nor workarounds that could be implemented within a week so we switched to LDSU. Within 2 days everything was up and configured and running perfectly. Also run time for batch updates that occurred once per day had reduced from 12 hours to under 30 minutes and that was with the full set of groups, not the small pilot set that couldn't get working under the previous tool. It isn't as full featured and flashy as the big name sync tools in terms of building in workflow and RAD development of rules, etc but it is considerably cheaper than an MIIS or the other tools Brian mentioned. If someone was looking to build a provisioning system quickly and only wanted to worry about the front end initially, this would be a great backend. joe [1] I think he is good both because he is actually very bright and done a great job and because when he doesn't know something, he admits it and goes and finds the answer. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I
RE: [ActiveDir] Schema Question
è Actually have a client in your sub 5000 bracket that will probably go MIIS è Doing a major org MIIS install at the moment that looks like it will come in well $100K I recommended some sort of provisioning system, not just MIIS to the OP. MIIS was the example Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Saturday, July 01, 2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call stratospheric, and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 11:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directoryvendors I've come across...Novell and Sun are 7 diigt figure products ona good dayThanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all isso intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DejiAkomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using usertemplates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema QuestionAnd anyway you should be putting quotas either in a recipient policyor manually on the attributes that control them...Thanks, Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema QuestionNo. Your provisioning system (e.g. MIIS, etc) should be doing this.Thanks, Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema QuestionAll,Let me start with, I'm a total newb when it comes to Schema and Schema modifications.Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our
RE: [ActiveDir] Schema Question
Anything above a few hundred and using ADUC I expect is more expensive and error prone than using some form of provisioning automation, and note, I am not saying MIIS as the provisioning tool. I am just saying there needs to be some form of provisioning automation even if it is scripts fired by the admin. At the widget factory initially delegated admin IDs all had to be handled by the DAs, that was only a couple of thousand IDs and that immediately got handled by scripts. That made creation of an admin ID take all of about 2-3 seconds and a password reset took that much or less. You won't even see the ADUC GUI in that time frame and the chances of mistakes are far greater. Some people may not like to think that their job function could be replaced by a script or program but it is the truth[1] and in any environment, the people costs are truly the higher ones. Both from straight monitary costs but also mistakes, etc. The main reason to add more people should normally be for redundance or flexibility in being able to do more different /ad hoc requests that come up. The basic administration of the environment should mostly be automated and take at most one FT position watching over it to make sure it is going smoothly. Flexibility and non-standard processes take people, not day to day administration. Again though, with the SQL requirement in MIIS, I don't see it reducing the people costs a lot unless you can dump quite a few admins due to their jobs being primarily provisioning but you have to pick someone up who knows MIIS and SQL Server well to cover the bad times with MIIS. Again, if that were an ESE engine under it, you wouldn't need a DB person around to make it work. I think MSFT is being quite assinine with MIIS until they remove the SQL requirement. But then that is nothing new, I have been saying that since day 1 of MIIS and that spawned the little "debate" at the MVP summit concerning its use when we were in Developer day. joe [1] In general, any position that is about following a documented process and entering commands into the computer can almost certainly be filled by a well written script/tool. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, July 01, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call "stratospheric", and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 11:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm
RE: [ActiveDir] Schema Question
Im not convinced you need a DBA to deal with the MSSQL backend. MS publishes a nice MIIS DB document that details all the switches you might want to flip and the dials to turn. Beyond that, I dont think its any different than knowing how to use esentutl Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 01, 2006 7:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Anything above a few hundred and using ADUC I expect is more expensive and error prone than using some form of provisioning automation, and note, I am not saying MIIS as the provisioning tool. I am just saying there needs to be some form of provisioning automation even if it is scripts fired by the admin. At the widget factory initially delegated admin IDs all had to be handled by the DAs, that was only a couple of thousand IDs and that immediately got handled by scripts. That made creation of an admin ID take all of about 2-3 seconds and a password reset took that much or less. You won't even see the ADUC GUI in that time frame and the chances of mistakes are far greater. Some people may not like to think that their job function could be replaced by a script or program but it is the truth[1] and in any environment, the people costs are truly the higher ones. Both from straight monitary costs but also mistakes, etc. The main reason to add more people should normally be for redundance or flexibility in being able to do more different /ad hoc requests that come up. The basic administration of the environment should mostly be automated and take at most one FT position watching over it to make sure it is going smoothly. Flexibility and non-standard processes take people, not day to day administration. Again though, with the SQL requirement in MIIS, I don't see it reducing the people costs a lot unless you can dump quite a few admins due to their jobs being primarily provisioning but you have to pick someone up who knows MIIS and SQL Server well to cover the bad times with MIIS. Again, if that were an ESE engine under it, you wouldn't need a DB person around to make it work. I think MSFT is being quite assinine with MIIS until they remove the SQL requirement. But then that is nothing new, I have been saying that since day 1 of MIIS and that spawned the little debate at the MVP summit concerning its use when we were in Developer day. joe [1] In general, any position that is about following a documented process and entering commands into the computer can almost certainly be filled by a well written script/tool. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Saturday, July 01, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call stratospheric, and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 11:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directoryvendors I've come across...Novell and Sun are 7 diigt figure products ona good dayThanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all isso intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about