|
I am
in 14 right now actually. Last one thank the lord, it has been a long couple of
weeks lately. We got smacked by the stupid MUMU worm and it was kind of a pain
in the ass. I put in a good 30-40 hours Sat 2AM-Mon 4AM all by itself. The
weekend before we had a schema update which had me in nursing the replication
for the whole weekend, didn't think Singapore would ever come back to the light.
LOL on
the security guide and the reviewing. Hey on another MS topic have you seen an
AD FAQ out on MS site at all yet? I was working with Levon et al on it and
haven't heard anything for a while and when I went and peeked around I didn't
see anything but I admit to probably looking in the wrong spots.
msExchSecurityDescriptor is nothing really. Basically it is only really
used prior to a mailbox being created. What I mean by that is that if you ever
set that value and the store has already allocated for the user (they opened the
mailbox or got mail) the value you set will get smacked when the store realizes
it. If you set it prior to the store allocating the user the perms will go onto
the user, but won't necessarily be the only perms depending on inheritence set
up on the store. Also you can read that descriptor and be sure that the perms it
lists are what are in the store, again because of inheritence. So basically it
is a waste of space for setting security and a waste of space for reading it.
Only real way is through cdoexm calls layered on the normal ADSI stuff. I think
it was called the mailboxrights attrib. That will figure out where to go change
the perms, either in AD prior to the allocation or to the store afterward.
Also
fighting with the whole disconnected mailbox thing, if MCS can't get an answer
out of the Dev group pretty soon I am just going to escalate full tilt like you
guys were recommending. Our main security manager got called out to Redmond for
a one day committee meeting, we asked that he mention it to the guys sitting in
the room with him to get them to ask their subordinates to give it a little
attention but not sure if he did. Some of our email dev folks were at teched
last week and they kept getting the response of upgrade to 2k3 which is a stupid
response, it isn't out yet, fix your shit. This is supposed to be enterprise
class, expose the api's so we can handle what you didn't think
to.
I love
Laura, she totally rocks. I had a few small tiffs with her in the newsgroups way
back when but once I met her and listened to her for 5 minutes decided right
away she is my kind of people and quite fun to look at, especially when she is
asked a question she isn't quite sure on as she screws up her face to
answer, and then starts to talk then screws up her face again. I hope to cross
paths with her again somewhere but for a longer period. I finally met her when I
was out in Redmond for the 2k3 RAP last September. You just want to say to her,
lets go grab a case of beer and start arguing opinions because you know there is
going to be some seriously good fighting. :o)
joe
I've
got about 5 more to go (including the Appendix) but I just got Chp 14 today -
and it's right in my Wheelhouse. Sec and Auth - so I've got to spend a
bit of extra time there and add some value.... Got a bit sidetracked by
an MS Security Guide.... I'll have to tell you the whole story on this one
sometime. I may not be doing review work on MS documents any tme
soon. Waste of 5 days for nothing at all. I'm sure that the paper
will be fine, but quite a bit of a disappointment for the work that I put into
it.
E2K....goodness, here we go again. Now I'm intrigued..... "the
dirty secret about msExchSecurityDescriptor". What did you learn that
caused this kind of turmoil in Blue Oval-ville? I do like the
inefficient query logging thing. I'm looking for a reason to piss off my
Exchange admins - I just have to wait for it to happen. I now have the
punishment..... >:->
Oh,
how I wish Laura - and all of her vicious 'don't like it my way? Tough -
eat $%)@!' would hang around here now and again. Yeah, she'd spice
things up! Hehe..... Finally met her face to face in San Francisco
at the Launch. She's more fun in person!
Thomas I haven't seen here. Dean, for a while, but he's doing the
whole "Teach PSS Windows 2K3", and is constantly on the road. Abell I
can't get involved in anything. He's quite the character, and very set
in his ways, Ace, sadly - no. Jimmy shows up when he's not
busy. He's doing much the same as Dean, but in the
EU.
-rtk
Well that sucks about Gil, I'll have to see if I can
start some down and dirty threads to pull him out of the
corner.
I
owe Richard a note, don't let him know I am here... shhhh... <peers
about>
I
read like 6 last night, 2 more tonight and my part will be done and Robbie
should be cool. Now I get to focus full time on trying to dress
that E2K pig up and making it dance and pretend to be a scaleable
properly manageable mail system. I just learned the dirty secret about
msExchSecurityDescriptor this afternoon and stomped out of the lab in disgust,
not even sure why they used the attribute at all. Either do it in the store or
do it in the directory, one or the other, JUMP! Reminds me of the parable of
the grape who couldn't figure out which side of the road was better and
squish. Because of that and I think for fun and to egg on the Premier guys
this week I am going to turn on inefficient query logging on the Exchange lab
DC's to see how funny it is. ;oP
We
have indexed objectclass now so that should help it out quite a bit.
Definitely helped out with some of the other poorly written apps running
around that were experiencing time outs. We were told we could probably
expect a 25-30%+ DIT size growth doing that, it was a tiny growth, indexed a
whole bunch of other attributes as well and our GC DIT only grew by like
100-150MB which is a drop in the bucket to the 6GB GC DIT.
Ah,
I need to get back into Word. Though before I go does Laura hang out here as
well? How about Dean/Roger/Ace/Jimmy/Thomas and the rest of the
troublemakers?
Sadly, Gil has not been spending as much time here as he has in the
past. Not sure why. He does post now and then - especially when
the replication or lower level programming talk gets
deep.
Robbie Allen and Richard Puckett have been fairly visible - Richard,
I can't say why he hasn't been here. Robbie, though - I can speak
for. I KNOW what he's doing.... :-) He'll be free(er)
shortly......
-rtk
It will definitely be fun. I personally am waiting for
a Gil Kirkpatrick siting, I hear he wanders these halls.... ADFIND
(and every other LDAP joeware tool) wouldn't exist except for Gil and
his book and that would be a sad thing for me because I love those
tools.
joe
Yeah! LOL! That's waaaaaay too
good.
Glad you could make it. You will certainly be a worthy
addition to the characters that wander in here.....
-rtk
Everyone kept saying, join activedir join activedir,
so I stumbled in fashionably late and three sheets to the wind... The only
way to make an entrance. ;o)
So where were we, I believe we were discussing slapping MIT
Kerberos and OpenLDAP on a Linux box and calling it OverActive Directory?
Mr. Richards..... welcome to the party.
;-)
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP -
Active Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
I agree with Rick completely. I work for a very
large organization and policy is policy. Not only will we not let you
put them into our Active Directory, I have a script that will find them
and throw the machine objects into an Enterprise Admin Access only OU
and disable and smack the ACL of the offending object if you someone
sneak one in. So not only do they not get to use the server anymore,
they can't even use that server name again. We catch more than a couple
of occurrances of this and we take away their ability to add anything
and let their managers know that we did it and why.
While I understand why people want to put them in (I in fact want
to as well), we want a centralized controlled IT structure and the best
way to maintain or reduce costs is to have a handle on what is in
production. We do not have an official company load for W2K3 yet with
all of the certified drivers and antivirus software so we don't want
anyone deploying anything on it because anything they deploy we know
will have to be revisited and is a possible breeding ground of viri,
worm's, and support issues with no escalation paths.
Tough love I guess.
joe
Justifying it technically is going to be a problem, as there
are no real 'downfalls'.
However - if they don't want them - stick to your guns.
Policy says NO. If there are any questions, refer to latter
statement.
Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP -
Active Directory
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
Has
anyone come across any problems with installing the new windows 2003
servers to the Windows 2000 site.
Running
W2K with SP3 and Exchange 2000 all in native modes. Our company is having a storm
of interns coming in and wanting to run projects on a W2k3 server.
Other than it is against
company policy not to allow users to install servers, or even there
own systems. Management is trying to come up
with some negatives to this, other than just saying it is against
company policy.
Ron
Pennell
[EMAIL PROTECTED]
|
