Right
there with you Rick... Unfortunately some of the things previously chosen will
be difficult, I think, to dig themselves out of. Most notably around the perms
and such. There are actually things they could do in the E2K product if they
would just be willing to *officially support* deviations to the main product
design that came out so long ago. Like for instance all of the crappy LDAP
filters and the perms that are put down by default. I would like to change a lot
of those perms and filters because I think they could work (better in all cases)
in other ways but the instant I start to mention them PSS Alliance starts
running around with their hands in the air saying "That isn't supported that
isn't supported".
I do
understand their point but, in my opinion, it comes down to not having a
complete understanding of the product and how it works. Heck if I had a product
I only knew how to support when someone was doing exactly what the book says I
would be leary to let them deviate as well. Unfortunately the book wasn't
written for any large company so the chapters are still being written and the
PSS guys aren't the authors.
Some
of the things I have heard out of PSS Alliance Exchange to explain things has
been bordering on insanely ludicrous so I am now at a
point where when I hear "that is unsupported" I laugh and say
what else is new? Many times when we have an issue it seems we dig
ourselves out and then explain to MS how we did it, we actually prefer that our
onsite Exchange PSS guy not be around when we are figuring problems out as we
move faster. We pull him in when we need something sent back inside to
MS.
I
think that they probably do very well with smaller cookie cutter installations
that do everything the MS way but once you get into the custom designed
environments we might as well just have the QFE coders or Product Team with us
because that is where all the questions go any way only we usually have to wait
until the local PSS or the Texas PSS guys feel it should go to QFE or Product
Team.
We had
another fun one this week. Originally it was said that the ADC install would
need Ent Admin access ONLY for the first ADC install. Now we send some guys to
England to set some stuff up and the day before they go the MCS guy comes to me
and says.... hey I have some bad news. It seems the docs are wrong, we need Ent
Admin access to install the ADC over in Europe...
Very
frustrating.
Anyway, I think Exchange Servers and the other Exchange groups have far
too many perms right off the bat from the forest and domain preps. Obviously the
property set setup is completely cockeyed. Having to give the app Manage
Replication Topology rights is a bit much but that is partially the AD team's
issue because of how they designed the perms for that or at least exposed the
perms for that. Because Exchange feels it OWNS the directory (heck it came from
Exchange so they should own it huh?) they feel that it is fine that they get any
and all perms into it and surrounding it. I don't think I have seen an LDAP
Query yet that I would consider good. Usually there is a caveate that it
shouldn't have many records to choose from *most of the time*. All basic things
that they should be able to tweak whether prior to the forest prep or after,
they are things that they could change and MS should be able to support if they
had a stronger understanding of how it all worked within
PSS.
I
think one thing that might help with dev work around MS would be to take away
admin rights from all of the developers. Make them work as non-admins and figure
out how to do things when you aren't god on a system. I would expect their
designs would change radically.
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Thursday, August 28, 2003 12:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pBrian,Thanks for this. This is a step in the right direction.And, to me at least, this proves that the Exchange architects and developers _ARE_ capable of learning and listening - I just question that they are really applying the effort in the right areas. Until I see some real improvment in the ACE/ACL/Delegation methodology, I'm still really skeptical that they get it at all.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, Brian
Sent: Thursday, August 28, 2003 10:30 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pNOt an E2K answer but in E2K3 there is a WMI method to do this.-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Wednesday, August 27, 2003 8:06 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pWe have MCS and MSPSS Alliance Premier. I realize we have a large unusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it.I guess one I'll ask you right off is how do you reconnect a mailbox that was disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Wednesday, August 27, 2003 7:04 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pYou're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quite well.Roger--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 6:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pHmmmm.... Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO.Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, August 26, 2003 11:05 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pScary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it..--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Tuesday, August 26, 2003 8:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pSeems like someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances...Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here?:op-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, August 26, 2003 7:12 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pSee, here's the part you don't get - I AM the Exchange admin.I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that.I'm still cleaning up that mess, and that was two Exchange orgs ago!--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: Rick Kingslan [mailto:[EMAIL PROTECTED]
Sent: Monday, August 25, 2003 5:30 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pRoger!Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good!(I finally outdid Roger on something!)Yes - this is completely all <tongue Firmly in Cheek>Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Monday, August 25, 2003 4:06 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pYou don't have Ex Dist Groups??At one point I had 1 DL for every 1.25 users.--------------------------------------------------------------
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.-----Original Message-----
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Monday, August 25, 2003 4:41 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pWe don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups.Their seems to be one case that E5.5 does have them and it appears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, Hunter
Sent: Monday, August 25, 2003 10:26 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou pAre you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create?Hunter
From: Joe [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 23, 2003 9:13 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupWhat do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S..As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines).With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site.Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait...joe-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Sunday, August 17, 2003 11:43 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupHmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users.And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine.But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know.... ;-)Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe
Sent: Sunday, August 17, 2003 12:38 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupWe like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution.All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that.Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture.-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 10:59 PM
To: AD mailing list (Send)
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group"Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick!Joe,I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself.Dean--
Dean Wells
MSEtechnology
* Email: dwells@msetechnology.com
http://msetechnology.com-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Sunday, August 17, 2003 10:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupPut down the beer Rick...DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG.joe-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, August 16, 2003 10:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupDeji,Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups.If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything.Rick Kingslan MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Saturday, August 16, 2003 1:15 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Add junior admin to Local workstations admin groupThis is what I have in a batch file:net localgroup administrators
if NOT %errorlevel%==0 GOTO :GERMANnet localgroup administrators /add myDomain\specialGroup
GOTO :END:GERMAN
net localgroup administratoren /add cmyDomain\specialGroup
:ENDI then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers.HTHSincerely,
D�j� Ak�m�l�f�, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon
From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian
Sent: Fri 8/15/2003 7:33 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Add junior admin to Local workstations admin group
I need to add two users to the local administrators group of every machine in
an OU.
I've looked at restricted groups GPO but, this doesn't really seem to do what
I want. I don't need to restrict just add.
I am also looking at writing a script to run at boot ,but again not sure
there isn't an easier way.
Any Ideas?
Brian Narkinsky
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
