Are you going to be upgrading an existing Exchange
organization? If so, what are you planning to do with all of the UDGs/USGs that
the ADC wants to create?
Hunter
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group
What
do you mean by "I just can't imagine all of the explicit grants."? Is this
an Exchange reference. If so, block out Exchange, they didn't know what they
were doing when they wrote that application. Bad bad example of an AD
application. We may actually have to cave and create a couple of mail enabled
Uni groups for some stupid security stuff in Exchange. We asked why we can't use
DLG's and they said you just can't (I love those technical explanations out of
the Exchange Support and Dev groups). Then at one point a mistake was made and
it was said that Globals would probably work which meant that DLG's would work
as well and smashed their argument for Uni's at which point I attacked and then
they recanted and it was no no no only Uni's will work. Problem is, I don't
think there are many people if any that understand that
P.O.S..
As for
the chasing perms. If you use all DLG's you know that all NT Native
Security uses of the group are within the one domain (you can do some tricks if
you have your own security system). So if you have say the whole world and you
get asked by a the security group where could this group have permissions at you
can say, only on machines within this domain versus, well any machine in any of
these 9 domains (meaning hundreds of thousands of machines).
With
W2K3 we will probably end up looking at Uni's again because at least the
replication piece is better but I really do not see the purpose in replicating
member information for a group that is used in one site in say Arizona to the
entire world. Also if you have tens of thousands of groups like we do and those
groups see lots and lots of daily membership changes which they do (one site I
talked to processed at least 1500 individual group changes a normal business
day) that is a lot of replication of a lot of data that doesn't need to be used
anywhere but in one site.
Also
when I mention the denys it is only on AD (excluding the Exchange container in
the config partition) that I am speaking for because I am the one that controls
that security. File systems and other ACL's on resources directly can be set
with anything the local person in charge wants to do. If they call me asking me
for help though the first thing I do is ixnay on the deny's if they are doing it
for silly reasons. Most people tend to hurt themselves more than help themselves
with deny's. An deny's in AD are not fun to work through. Also misordered ACL's
with denies is fun too... No one would do that on purpose would they... oh
wait...
joe
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, August 17, 2003 11:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupHmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users.And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine.But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know.... ;-)Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Sunday, August 17, 2003 12:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupWe like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution.All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that.Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 10:59 PM
To: AD mailing list (Send)
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group"Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick!Joe,I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself.Dean--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 17, 2003 10:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupPut down the beer Rick...DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG.joe-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, August 16, 2003 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupDeji,Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups.If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupThis is what I have in a batch file:net localgroup administrators
if NOT %errorlevel%==0 GOTO :GERMANnet localgroup administrators /add myDomain\specialGroup
GOTO :END:GERMAN
net localgroup administratoren /add cmyDomain\specialGroup
:ENDI then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers.HTHSincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian
Sent: Fri 8/15/2003 7:33 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Add junior admin to Local workstations admin group
I need to add two users to the local administrators group of every machine in
an OU.
I've looked at restricted groups GPO but, this doesn't really seem to do what
I want. I don't need to restrict just add.
I am also looking at writing a script to run at boot ,but again not sure
there isn't an easier way.
Any Ideas?
Brian Narkinsky
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
