RE: [ActiveDir] Schema Question
How many people have you dealt with who have had ESE blow up under them in AD relative to the number of AD deployments? I can't say I have ever talked with someone directly who had an issue like that that wasn't due to hardware failure. Conversely I have spoken with several folks in larger orgs where SQL blew out under MOM and/or MIIS. I have herad this bothdirectly and spoken to the MCS folks who got called in to try and put it all back together. I didn't know all of the details but in one of them I know for sure that someone was "looking around" about the time the system hit the floor. While the latter speaks to security by insecurity, it seems to be relatively good security at this point because there are no well known generic ESE browse/modify tools that would encourage people who shouldn't be poking around to poke around. Another issue that I brought up during the summit a few years ago was the idea that some companies have actually said that SQL is not allowed on their network at all, they have a DB standard of Oracle or MySQL or other lesser known DB techs. An app like AD or ADAM gets through because the DB isn't a separate component/application, it is integrated and black box. The folks that I have spoken with that like SQL for the backend seem to like it because they are screwing with the backend. They want to pull out info and manipulate it without going through MIIS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Saturday, July 01, 2006 8:46 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Im not convinced you need a DBA to deal with the MSSQL backend. MS publishes a nice MIIS DB document that details all the switches you might want to flip and the dials to turn. Beyond that, I dont think its any different than knowing how to use esentutl Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Saturday, July 01, 2006 7:37 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Anything above a few hundred and using ADUC I expect is more expensive and error prone than using some form of provisioning automation, and note, I am not saying MIIS as the provisioning tool. I am just saying there needs to be some form of provisioning automation even if it is scripts fired by the admin. At the widget factory initially delegated admin IDs all had to be handled by the DAs, that was only a couple of thousand IDs and that immediately got handled by scripts. That made creation of an admin ID take all of about 2-3 seconds and a password reset took that much or less. You won't even see the ADUC GUI in that time frame and the chances of mistakes are far greater. Some people may not like to think that their job function could be replaced by a script or program but it is the truth[1] and in any environment, the people costs are truly the higher ones. Both from straight monitary costs but also mistakes, etc. The main reason to add more people should normally be for redundance or flexibility in being able to do more different /ad hoc requests that come up. The basic administration of the environment should mostly be automated and take at most one FT position watching over it to make sure it is going smoothly. Flexibility and non-standard processes take people, not day to day administration. Again though, with the SQL requirement in MIIS, I don't see it reducing the people costs a lot unless you can dump quite a few admins due to their jobs being primarily provisioning but you have to pick someone up who knows MIIS and SQL Server well to cover the bad times with MIIS. Again, if that were an ESE engine under it, you wouldn't need a DB person around to make it work. I think MSFT is being quite assinine with MIIS until they remove the SQL requirement. But then that is nothing new, I have been saying that since day 1 of MIIS and that spawned the little "debate" at the MVP summit concerning its use when we were in Developer day. joe [1] In general, any position that is about following a documented process and entering commands into the computer can almost certainly be filled by a well written script/tool. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, July 01, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call "stratospheric", and would never reco
RE: [ActiveDir] Schema Question
MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Schema Question
I agree that MIIS is expensive but the SQL Server requirement is what irks me. We have had this conversation multiple times but if MSFT has to have it on their own tech DB then put it on ESE. Make it black box, you shouldn't have to require a SQL DBA to properly run your AD for their provisioning product. The security model isn't good because now instead of just DAs having extensive rights in the org, it is likely the DBAs will as well through proxy. I haven't really looked hard into compromising MIIS assuming I have DBA level access rights into the SQL Server but I fully expect there are holes. I am semi afraid to start poking into it specifically because I expect to find those holes and hate finding holes (bugs and security issues) in MSFT products because I feel honor bound to chase them into MSFT and find someone to fix them and I don't have the time. But anyway, basic provisioning doesn't require MIIS or any syncing tool. You just need something that could output basic data files for the new objects or the object changes and feed those into basic scripts that validate and shove them into AD. And in front of it you have some basic web page, a web form for a new user with no validation could be done in minutes, if you validate users you add a little javascript or add some code to the backend. And note, this could be done on any flavor web server on any OS, doesn't require Windows. If you aren't big on writing AD Update code you then need a tool that could move that info into the directory and one of the most flexible tools I have seen to date and I have seen multiple times now filling roles like this as well as group management roles is LDSU (http://h20219.www2.hp.com/services/cache/11212-0-0-225-121.html). I only learned about it within the last 18 or so months, I don't recall ever hearing about it prior to that though it was available and used in many large companies. The advertising for it is nil but I know the developer quite well and he is good[1]. If joeware got big enough that I could go hire additional programmers, this guy is one of the guys I would go looking to get. One time (at band camp heh) I got called in to figure out how to make a well known's vendor's auto group management tool work and we only had like a week to figure it out before there were going to be penalties from the customer and the delivery folks had been trying to work out the issues for a couple of months. I spent a day on it trying to reverse how it worked (i.e. I sat down with the tool and manipulated it and watched the network traces - what every good integrator should be doing for every AD Application) and then sent a nice big bulleted list of issues to someone I knew at the vendor who supplied the tool. There were no easy fixes nor workarounds that could be implemented within a week so we switched to LDSU. Within 2 days everything was up and configured and running perfectly. Also run time for batch updates that occurred once per day had reduced from 12 hours to under 30 minutes and that was with the full set of groups, not the small pilot set that couldn't get working under the previous tool. It isn't as full featured and flashy as the big name sync tools in terms of building in workflow and RAD development of rules, etc but it is considerably cheaper than an MIIS or the other tools Brian mentioned. If someone was looking to build a provisioning system quickly and only wanted to worry about the front end initially, this would be a great backend. joe [1] I think he is good both because he is actually very bright and done a great job and because when he doesn't know something, he admits it and goes and finds the answer. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28
RE: [ActiveDir] Schema Question
I never considered that the license cost of MIIS was all that high. Even if you paid list (which not many of the customers I've worked with did), its not a huge outlay. The significant costs are in the analysis, requirements, engineering, and operations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Schema Question
Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call "stratospheric", and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 11:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES E
RE: [ActiveDir] Schema Question
I will agree with your take, if you accept that "all that high" is already "too high" for a significantnumber of potential MIIS customers. Add that to the engineering costs, and the strict MS SQL requirement, you will agree that a vast majority of environments that could use MIIS are already pushed out. This is why I stopped preaching MIIS. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Gil KirkpatrickSent: Sat 7/1/2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question I never considered that the license cost of MIIS was all that high. Even if you paid list (which not many of the customers I've worked with did), its not a huge outlay. The significant costs are in the analysis, requirements, engineering, and operations. -gil -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 30, 2006 10:33 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRIS
RE: [ActiveDir] Schema Question
But anyway, basic provisioning doesn't require MIIS or any syncing tool. I just didn't pick up on that angle. Maybe it was because of the "newb-ness" of the OP or the fact that he mentioned ADUC. Anywhoo, you are correct. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: joeSent: Sat 7/1/2006 7:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question I agree that MIIS is expensive but the SQL Server requirement is what irks me. We have had this conversation multiple times but if MSFT has to have it on their own tech DB then put it on ESE. Make it black box, you shouldn't have to require a SQL DBA to properly run your AD for their provisioning product. The security model isn't good because now instead of just DAs having extensive rights in the org, it is likely the DBAs will as well through proxy. I haven't really looked hard into compromising MIIS assuming I have DBA level access rights into the SQL Server but I fully expect there are holes. I am semi afraid to start poking into it specifically because I expect to find those holes and hate finding holes (bugs and security issues) in MSFT products because I feel honor bound to chase them into MSFT and find someone to fix them and I don't have the time. But anyway, basic provisioning doesn't require MIIS or any syncing tool. You just need something that could output basic data files for the new objects or the object changes and feed those into basic scripts that validate and shove them into AD. And in front of it you have some basic web page, a web form for a new user with no validation could be done in minutes, if you validate users you add a little _javascript_ or add some code to the backend. And note, this could be done on any flavor web server on any OS, doesn't require Windows. If you aren't big on writing AD Update code you then need a tool that could move that info into the directory and one of the most flexible tools I have seen to date and I have seen multiple times now filling roles like this as well as group management roles is LDSU (http://h20219.www2.hp.com/services/cache/11212-0-0-225-121.html). I only learned about it within the last 18 or so months, I don't recall ever hearing about it prior to that though it was available and used in many large companies. The advertising for it is nil but I know the developer quite well and he is good[1]. If joeware got big enough that I could go hire additional programmers, this guy is one of the guys I would go looking to get. One time (at band camp heh) I got called in to figure out how to make a well known's vendor's auto group management tool work and we only had like a week to figure it out before there were going to be penalties from the customer and the delivery folks had been trying to work out the issues for a couple of months. I spent a day on it trying to reverse how it worked (i.e. I sat down with the tool and manipulated it and watched the network traces - what every good integrator should be doing for every AD Application) and then sent a nice big bulleted list of issues to someone I knew at the vendor who supplied the tool. There were no easy fixes nor workarounds that could be implemented within a week so we switched to LDSU. Within 2 days everything was up and configured and running perfectly. Also run time for batch updates that occurred once per day had reduced from 12 hours to under 30 minutes and that was with the full set of groups, not the small pilot set that couldn't get working under the previous tool. It isn't as full featured and flashy as the big name sync tools in terms of building in workflow and RAD development of rules, etc but it is considerably cheaper than an MIIS or the other tools Brian mentioned. If someone was looking to build a provisioning system quickly and only wanted to worry about the front end initially, this would be a great backend. joe [1] I think he is good both because he is actually very bright and done a great job and because when he doesn't know something, he admits it and goes and finds the answer. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 1:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is
RE: [ActiveDir] Schema Question
è Actually have a client in your sub 5000 bracket that will probably go MIIS è Doing a major org MIIS install at the moment that looks like it will come in well $100K I recommended some sort of provisioning system, not just MIIS to the OP. MIIS was the example Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Saturday, July 01, 2006 2:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call stratospheric, and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 11:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directoryvendors I've come across...Novell and Sun are 7 diigt figure products ona good dayThanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all isso intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of DejiAkomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using usertemplates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema QuestionAnd anyway you should be putting quotas either in a recipient policyor manually on the attributes that control them...Thanks, Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema QuestionNo. Your provisioning system (e.g. MIIS, etc) should be doing this.Thanks, Brian Desmond [EMAIL PROTECTED]c - 312.731.3132From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema QuestionAll,Let me start with, I'm a total newb when it comes to Schema and Schema modifications.Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our
RE: [ActiveDir] Schema Question
Anything above a few hundred and using ADUC I expect is more expensive and error prone than using some form of provisioning automation, and note, I am not saying MIIS as the provisioning tool. I am just saying there needs to be some form of provisioning automation even if it is scripts fired by the admin. At the widget factory initially delegated admin IDs all had to be handled by the DAs, that was only a couple of thousand IDs and that immediately got handled by scripts. That made creation of an admin ID take all of about 2-3 seconds and a password reset took that much or less. You won't even see the ADUC GUI in that time frame and the chances of mistakes are far greater. Some people may not like to think that their job function could be replaced by a script or program but it is the truth[1] and in any environment, the people costs are truly the higher ones. Both from straight monitary costs but also mistakes, etc. The main reason to add more people should normally be for redundance or flexibility in being able to do more different /ad hoc requests that come up. The basic administration of the environment should mostly be automated and take at most one FT position watching over it to make sure it is going smoothly. Flexibility and non-standard processes take people, not day to day administration. Again though, with the SQL requirement in MIIS, I don't see it reducing the people costs a lot unless you can dump quite a few admins due to their jobs being primarily provisioning but you have to pick someone up who knows MIIS and SQL Server well to cover the bad times with MIIS. Again, if that were an ESE engine under it, you wouldn't need a DB person around to make it work. I think MSFT is being quite assinine with MIIS until they remove the SQL requirement. But then that is nothing new, I have been saying that since day 1 of MIIS and that spawned the little "debate" at the MVP summit concerning its use when we were in Developer day. joe [1] In general, any position that is about following a documented process and entering commands into the computer can almost certainly be filled by a well written script/tool. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Saturday, July 01, 2006 3:12 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call "stratospheric", and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 11:04 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directory vendors I've come across...Novell and Sun are 7 diigt figure products on a good day Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say "yes, you can use mySQL or such", I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as "solutions". Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? - anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Editio
RE: [ActiveDir] Schema Question
Im not convinced you need a DBA to deal with the MSSQL backend. MS publishes a nice MIIS DB document that details all the switches you might want to flip and the dials to turn. Beyond that, I dont think its any different than knowing how to use esentutl Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Saturday, July 01, 2006 7:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Anything above a few hundred and using ADUC I expect is more expensive and error prone than using some form of provisioning automation, and note, I am not saying MIIS as the provisioning tool. I am just saying there needs to be some form of provisioning automation even if it is scripts fired by the admin. At the widget factory initially delegated admin IDs all had to be handled by the DAs, that was only a couple of thousand IDs and that immediately got handled by scripts. That made creation of an admin ID take all of about 2-3 seconds and a password reset took that much or less. You won't even see the ADUC GUI in that time frame and the chances of mistakes are far greater. Some people may not like to think that their job function could be replaced by a script or program but it is the truth[1] and in any environment, the people costs are truly the higher ones. Both from straight monitary costs but also mistakes, etc. The main reason to add more people should normally be for redundance or flexibility in being able to do more different /ad hoc requests that come up. The basic administration of the environment should mostly be automated and take at most one FT position watching over it to make sure it is going smoothly. Flexibility and non-standard processes take people, not day to day administration. Again though, with the SQL requirement in MIIS, I don't see it reducing the people costs a lot unless you can dump quite a few admins due to their jobs being primarily provisioning but you have to pick someone up who knows MIIS and SQL Server well to cover the bad times with MIIS. Again, if that were an ESE engine under it, you wouldn't need a DB person around to make it work. I think MSFT is being quite assinine with MIIS until they remove the SQL requirement. But then that is nothing new, I have been saying that since day 1 of MIIS and that spawned the little debate at the MVP summit concerning its use when we were in Developer day. joe [1] In general, any position that is about following a documented process and entering commands into the computer can almost certainly be filled by a well written script/tool. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Saturday, July 01, 2006 3:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Being the cheapest doesn't make it cheap, Brian. It's all relative. Let me see you sell MIIS to a sub-5000-user environment. I've yet to see a successfulMIIS implementation that costed less than 6 figures. That is an amount that I call stratospheric, and would never recommend in response to questions similar to the one posted by the OP. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 11:04 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question MIIS is about the Cheapest commercial one from the major directoryvendors I've come across...Novell and Sun are 7 diigt figure products ona good dayThanks,Brian Desmond[EMAIL PROTECTED]c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, July 01, 2006 12:33 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all isso intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about
RE: [ActiveDir] Schema Question
No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
Isn't it something that Exchange System Policies are supposed to take care of ? Why would you want to set mailbox quotas for each and every user account instead of setting the defaults on the stores and overriding only when necessary ? Guy From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
I'm wondering why you would want to do that. You can tell if a person is using the defaults by checking mDBUseDefaults, and if she is not you can pull actual limits from mDBStorageQuota, mDBOverQuotaLimit, and mDBOverHardQuotaLimit. Hunter From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 30, 2006 11:38 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Schema Question
SBS where we don't have a MIIS system, Exchange can be set for a standard storage limit. HOW TO: Configure Storage Limits on Mailboxes in Exchange 2000: http://support.microsoft.com/default.aspx?scid=kb;en-us;319583 Issue warning at KB Prohibit send at KB Prohibit sned and receive at KB Brian Desmond wrote: *No. Your provisioning system (e.g. MIIS, etc) should be doing this. * * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 30, 2006 12:38 PM *To:* ActiveDir@mail.activedir.org *Subject:* [ActiveDir] Schema Question All, Let me start with, I’m a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I’m a newb. Thanks, /Justin Clay/ /ITS Enterprise Services/ /Metropolitan Government of Nashville and Davidson County/ /Howard School Building/ /Phone: (615) 880-2573/ ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. -- Letting your vendors set your risk analysis these days? http://www.threatcode.com If you are a SBSer and you don't subscribe to the SBS Blog... man ... I will hunt you down... http://blogs.technet.com/sbs List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Schema Question
And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 10:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, June 30, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 30, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
Err no. The schema doesn't allow to specify data values including default data values, it only allows you to specify datatype info such as single versus multivalues, syntax of the data (DN, string, number, 64 bit int, etc), linkages, MAPI info, etc. I would ask also why populate extensionAttribute5, it doesn't do anything. Your quotas follow defaults (I believe, org, AG, Server, SG, then DB defaults but I could be wrong[1]) unless you populate specific quota attributes with values. Your systems should be configured such that by default you don't have to set those attributes and the system defaults apply to a majority of the users Then you handle the ones that don't fit in a one off manner. Of course there are folks out there that are all over the map on their quotas but there are all sorts of people and they do all sorts of interesting things. joe [1] I don't rate this info any better than possibly 50% accurate +/- 16.23%. I know you can at least do it at the Org level and I am pretty confident about server level, it is the others that I am not real sure about. Note to anyone who wants to respond and say the options aren't in the GUI... that doesn't meanExchange can't do it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 30, 2006 1:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji AkomolafeSent: Friday, June 30, 2006 3:11 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) / |_/(__(_) // (_(_)(/_(_(_/(__(/_(_/ /) (/ Microsoft MVP - Directory Serviceswww.readymaids.com - we know ITwww.akomolafe.com-5.75, -3.23Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian DesmondSent: Fri 6/30/2006 10:58 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Friday, June 30, 2006 12:42 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS)Sent: Friday, June 30, 2006 12:38 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin ClayITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICEThe information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
Re: [ActiveDir] Schema Question
All I can think of when thinking of hardcoding mailbox limits in AD is Do you want to undo this when more storage becomes available?In other words, do you want to go through every single user in your environment (55k in mine) and modify that advanced attribute? Sure, I can build a _vbscript_ to do it, but it just sounds like a huge pain in the rear. Use Exchange Administrator... you'll be much happier in the end.
RE: [ActiveDir] Schema Question
System policies are granular to the mailstore level Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Friday, June 30, 2006 3:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Err no. The schema doesn't allow to specify data values including default data values, it only allows you to specify datatype info such as single versus multivalues, syntax of the data (DN, string, number, 64 bit int, etc), linkages, MAPI info, etc. I would ask also why populate extensionAttribute5, it doesn't do anything. Your quotas follow defaults (I believe, org, AG, Server, SG, then DB defaults but I could be wrong[1]) unless you populate specific quota attributes with values. Your systems should be configured such that by default you don't have to set those attributes and the system defaults apply to a majority of the users Then you handle the ones that don't fit in a one off manner. Of course there are folks out there that are all over the map on their quotas but there are all sorts of people and they do all sorts of interesting things. joe [1] I don't rate this info any better than possibly 50% accurate +/- 16.23%. I know you can at least do it at the Org level and I am pretty confident about server level, it is the others that I am not real sure about. Note to anyone who wants to respond and say the options aren't in the GUI... that doesn't meanExchange can't do it. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 1:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, Im a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, Im a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] Schema Question
Yeah, until the price of MIIS [1] comes down from its stratospheric level, and until I can look customer in the eye and say yes, you can use mySQL or such, I won't touch MIIS with a long pole. [1]Yes yes, MIIS is just one of many provisioning solutions. I've seen a few, and the engineering that goes into making them work at all is so intensive that I don't like to offer them as solutions. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of joe Sent: Fri 6/30/2006 1:28 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question You mean as in copying in ADUC... What are you crazy?? Provisioning is the new cool key word Deji. ;) -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Deji Akomolafe Sent: Friday, June 30, 2006 3:11 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question Listen to what they say But if you really have to set attributes, consider using user templates and populating the relevant settings that you need. Then do your user account creation using the templates. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Brian Desmond Sent: Fri 6/30/2006 10:58 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question And anyway you should be putting quotas either in a recipient policy or manually on the attributes that control them... Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond Sent: Friday, June 30, 2006 12:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Schema Question No. Your provisioning system (e.g. MIIS, etc) should be doing this. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 30, 2006 12:38 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Schema Question All, Let me start with, I'm a total newb when it comes to Schema and Schema modifications. Is it possible to modify the schema that so every time a new user is created (via ADUC) an extension attribute is populated with a default value? Our Exchange guys would like extensionAttribute5 to be populated automatically with 100, which is the default mailbox size. Is this possible? It seems like it would be, but as I warned, I'm a newb. Thanks, Justin Clay ITS Enterprise Services Metropolitan Government of Nashville and Davidson County Howard School Building Phone: (615) 880-2573 ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
