I have been starting to wonder if we need to write an MVP book. Working Title: Everything I needed to know I learned in the newsgroups... Chapter 1 - Firewalls, what do you mean you aren't running one? Chapter 2 - So you say AD is slow... How's your DNS? Chapter 3 - Why Exhange should be rewritten from the ground up. Chapter 4 - And why aren't Linux security holes making the 6PM news? My chapter would be Chapter xxx How to run an AD Enterprise from the beaches of Cozumel while debating the all encompasing question, "one space or two after a period". Of course that work would have to be subsidized by the publishing company. I figure I would have a good 5-10 years of research for that one to get it right.
Hey BTW speaking of blowing timelines, that review for IAD was due yesterday... You misread, the Robbie and Richard Enterprise Services book was the one I called deep. The Cat book is a good overall welcome to the world of AD, "now that you are here let me point out where the restrooms and the kitchen are so you can be on your way". joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, September 20, 2003 6:46 PM To: [EMAIL PROTECTED] "I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it." Even though my perspective might be tainted because of my ork on the book - I would still highly recommend it. I have a very hard time believing that the editorial staff could have messed this book up to the point that it still ouldn't be one of the best available. And, Joe - like you, I am reviewing "Inside Active Directory" 2/e What I've seen so far is pretty good. I'm heavily of the opinion that they really only needed to do an update - which, so far is what I've seen. The 'Cat' book - completely forgot about it. And, honestly, I don't know how. 'Deep' doesn't really even begin to explain it - it's a very comprehensive book. And, though I'm not the programmer you are, I have a copy of Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast resource when trying to understand HOW something works at the level below the interface. Joe, I do agree that there is no reference that lays out 'If you want to delegate the ability to do X, apply these permissions here, and at this level and apply inheritance to this SP'. I've used the information from 'Inside AD' to figure out much of what I've needed to do - sadly, most of it is still trial and error. So, Robbie - new chapters coming when? ;o) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, September 20, 2003 5:12 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Yeah Robbie's book is pretty good. I wish I got commission as I am pushing it to a lot of people, the cookbook layout is a good thing for that stuff. 2nd Edition should be started now and could look like Grey's Anatomy. I have been thinking for a long while about setting up something like that on my site but due to time hadn't done it. I won't do it now for a while even if I have time so Robbie gets properly compensated for taking the time to do it. I was actually asked, we know you helped review it, but do you think it is worth buying. I haven't seen what the O'Reilly's editors have done to it since I last looked, but from what I saw, yes buy it. Inside AD is really good as well. The security section is great as is the schema info, we learned things in there and told MS PSS that they didn't know. I actually just reviewed pieces of the 2nd edition of that one too, again Sakari is doing a good job. I caught myself a couple of times thinking, hmmm I didn't know that. I also like the Cat book (Active Directory by Alistar, 2nd Edition help from Robbie). Managing Enterprise Active Directory Services from Richard and Robbie - this is one of the deepest books I have seen. From AD programming standpoint I love Active Directory Programming from Gil. Overall though I don't think I have seen anything that really lays out the permissions and what you should delegate for different functionaly roles. That might make a good long chapter in the next cookbook. Also Robbie, don't forget the Exchange stuff in the next one. People need to be thinking about Exchange when doing stuff in AD otherwise they won't like being raped later when they install it. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Friday, September 19, 2003 6:21 PM To: [EMAIL PROTECTED] Well, I'll give you two. One is going to be Robbie Allen's new book (due shortly). I reviewed it for tech content, (as did a few others here) and it's good - lots of code and geared towards Windows 2000/2003. It's called "Active Directory Cookbook" and is being published by O'Reilly. http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1064009830/sr=1 -3/ref=sr_1_3/103-2178319-6639029?v=glance The other one that I REALLY like as well is "Inside Active Directory". This book has an absolutely FANTASTIC chapter on AD security, permissions, etc. Overall, this is one of the best AD books I have (I don't have Robbie's in hand yet....;-) ) This book has been published by AW. @nd Edition in the works - I'd say late this year. http://www.amazon.com/exec/obidos/tg/detail/-/0201616211/ref=pd_sbs_b_3/103- 2178319-6639029?v=glance&s=books Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Fugleberg, David A Sent: Friday, September 19, 2003 4:50 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Rick - this brings up an interesting point...it seems like every time I want to do something like this (figure out exactly what permissions to set to allow group X to do task Y and no more), I have to hunt, dig, experiment, etc. I don't own every AD book ever printed, and barely have time to fully understand what's in the ones i have. Are there any good references that provide a 'cookbook' of common tasks and the minimum permissions required for them ? Dave -----Original Message----- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Friday, September 19, 2003 4:41 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add computers to domain permissions Every now and then this mass of e-mail I keep around has value. I'd responded to a similar question a few months ago - so here is the response to that question: <SNIP> What you will likely need to do is to proceed along the following lines: 1. Right click on the OU of your choice and go to Security. 2. Select Advanced / Add / Select the group that you want to accomplish the task 3. By default, they should have READ, etc. Scroll down and select Allow Create / Delete Computer Objects 4. In the 'Apply on to:' dialog, select This Object and All Child Objects. Hit 'Apply' to save what we have so far. 5. Click 'Add' again in the Advanced Security dialog UI. Select the group for the task (same group as above). 6. In the 'Apply on to:' select 'Computer Objects' and grant Full Control 7. Click 'OK' until you completely exit This should do the following: Allow the selected group to Create and Delete Computer Objects within the OU in which this delegation was done (yep - still delegation - not done through the Delegate Control selection, but this *IS* what goes on behind the scenes anyway....), then we delegated the permission to fully control Computer Objects - allowing the ability to create the various attributes that make up a computer object - but only computer objects, and nothing else. As you go through this exercise, it's interesting to note how many permissions are associated with these objects. Notice that there is a properties tab, too! This is what allows one to change the name, etc., of an object as this is a property of the object. Take your time as you go through this. If you get a grasp of what happens in this delegation, then the rest of your permissions tasks will be much easier. Good luck! </SNIP> BTW - you CAN delegate prmissions to the Computer Container much in the same manner. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rimmerman, Russ Sent: Friday, September 19, 2003 3:16 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Add computers to domain permissions We have many remote sites and an OU for each remote site. We're delegating our site admins permissions to their site Ous, and creating security group restriction policies to grant them local admin permissions on their user's desktops. The problem we're having is the site admins can't join new PCs to the domain. A Microsoft TS told us that AD will automatically add a PC to an OU that you have rights to, but this doesn't seem to be the case. It appears it's trying to add it to the builtin computers container instead, and the site admins don't have rights to that. How do we solve this? Is there some type of a script that we need to be using to do this? We don't want to use RIS. We want all our remote sites to be able to join computers to their OU at will. Thanks ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ This e-mail is confidential, may contain proprietary information of the Cooper Cameron Corporation and its operating Divisions and may be confidential or privileged. This e-mail should be read, copied, disseminated and/or used only by the addressee. If you have received this message in error please delete it, together with any attachments, from your system. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
