Late to the party as usual. Since Joe has taken care of this for me, am I still entitled to my "beer" or "red wine"? :) Sincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Rick Kingslan Sent: Sun 8/17/2003 8:42 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know.... ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, August 17, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group We like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution. All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that. Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 10:59 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group "Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick! Joe, I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com <http://msetechnology.com/> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 1:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group This is what I have in a batch file: net localgroup administrators if NOT %errorlevel%==0 GOTO :GERMAN net localgroup administrators /add myDomain\specialGroup GOTO :END :GERMAN net localgroup administratoren /add cmyDomain\specialGroup :END I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers. HTH Sincerely, D�j� Ak�m�l�f�, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian Sent: Fri 8/15/2003 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add junior admin to Local workstations admin group I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
