|
Jail is a special set of OUs that we put "bad" objects
into.
It is an OU with all permissions except localsystem and
Enterprise Admins stripped from it. Any objects thrown in there are disabled
and/or have their ACL stripped. It is beautiful for machines that aren't
following naming standards because someone can't recreate the object with that
name again as it already exists and the system knows it but they can't find it.
joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Network Administrator Sent: Sunday, January 11, 2004 7:31 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Computer Accounts and request for comments on provisioning. Out of curiousity, what
are you calling `jail?’ Are you simply disabling the account, or are you
putting it into a homebrewed OU with specific
restrictions? Eternally
curious, -James R.
Rogers From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Joe 1. I have been really
lax on this what with other crap I have been dealing with. However I am about to
implement cleanup which will upset people and will remove anything older than 90
days. After 60 days the machines (W2K+) have to be rejoined anyway.
2. No. The network
folks are actually locking most people out of direct network access. Most people
without a business reason that is really good will get External OWA and that is
about it. Anyone who will have dialup or VPN access to the network will
need to do it from a company owned laptop. 3. Not sure I
understand this one. Server accounts can only be created by the people on the
team I am on... 3 people. Workstations can be created by any one of thousands of
workstation admins. However they follow our standards or we make their computer
accounts unuseable by throwing them into jail.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Myrick, Todd
(NIH/CIT) Hey everyone… Happy New Year…
I am doing some research to help establish some new
standards for provisioning Workstations in our AD domains. In the past,
any Windows NT workstation that was going to need to access domain resources was
added to the domain. This means machines that were on the corporate
network, and home machines. The problem we are having is that home
machines are not being maintained as well as the corporate machines, and the
home machines don’t connect into the corporate network very frequently. We
are in the process of consolidating several resource domains as well, and we are
trying to decide which accounts to move, and which ones not to move. When
we move computer accounts the process requires that the local user profiles get
re ACLed, as well as the local file systems. So the questions I have that I am looking for feed back
on are as follows. 1.
On average how long do you allow computer accounts to stay
deactivate in your domain, and what issues do you run into when machines are
disconnected longer than say the 60 days. (I think I remember reading
somewhere that secure channel passwords get reset every 30 days on machine
accounts). If the passwords are out of sync when the machine try to join
the domain again, will they auto renegotiate a new secure channel password even
though the password is out of sync or does it always require resetting the
secure channel? 2.
Do you allow machines that are primarily home machines connect in
as domain resources, or do you use other means to provide remote access to
domain resources? If so what alternative means do you provide remote
access to resources? 3.
Finally, do you require machines to go through a provisioning
process when the computer account is created and removed from the domain?
If so, how do you manage the process. In today’s domains, I would think it
would be desirable with the need to have certificates issued for EFS,
etc. Thanks in Advance for any feedback you all
offer. Todd
|
- [ActiveDir] Computer Accounts and request for comme... Myrick, Todd (NIH/CIT)
- RE: [ActiveDir] Computer Accounts and request ... Joe
- RE: [ActiveDir] Computer Accounts and requ... Network Administrator
- joe
