|
Using the DLG's doesn't kill us any more than if we used
GG's. Same loss of resource access.
As for the accidents, the guys with the big guns don't use
the GUI for most anything, they use very targeted scripts that do very specific
things. We don't, for instance have any mass delete anything scripts. All one
off delete.
The groups are supposed to have well known membership to
the admins running them, they are supposed to be auditing the groups on a very
regular basis as to who should be in them. So loss of a group should simply be
recreate the group, reassign to the proper ACE in the proper file structure (we
don't do one group secures a zillion different things or at least heavily
discourage it), readd the correct people.
I do have some ideas floating in the back of my mind about
pulling all groups, computers, users off into a single AD/AM instance so we can
track things there. Don't sync the deletes other than marking a field in AD/AM
when the delete or occurred. This is more for being able to do quick checks for
things in the directory (everything would be tuple indexed) but could also help
if someone smoked a group that they shouldn't have as we would have the last
known membership for sure. I would also like to get some form of change log
management in there as well but that project is way pie in the sky at the
moment. Trying to get K3 deployed at the moment and the final pieces of E2K
deployed.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Thursday, March 04, 2004 2:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory actually, you need to consider this issue more than others
Joe, as you're building all group-memberships on Domain Local Groups (in a
multi-domain environment) which will kill you, if you do accidentally delete the
wrong objects. Obviously you could still restore all domains - but
that's pretty nasty.
And accidents don't only happen to lower privileged admins
- it could be one of you three...
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Mittwoch, 3. M�rz 2004 16:40 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory Yes, excellent point. We haven't started worrying about
that granularity yet. If something is deleted, we figured the person with the
power to delete it intended it. Have a nice day. There are only three
people who can really do any huge mass deletes across the board and we all sit
within smacking distance of each other so we are careful as we have sensitive
ears and don't want to be cuffed. I do think we need some sort of solution for
this eventually though. But it is more to reduce nuisance factor for silly OU
admins than anything else.
Right now mostly still just worrying about the old South
East Michigan was swallowed by a volcano that came out of nowhere... How do we
make sure we can recover.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1) Sent: Wednesday, March 03, 2004 3:01 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory will only be good for restoring the DC hardware, but
depending on your setup won't be sufficient to fully recover accidentally
deleted objects.
I've worked with Aelita on this whitepaper to discuss the
potential issues:
/Guido
From: joe [mailto:[EMAIL PROTECTED] Sent: Mittwoch, 3. M�rz 2004 02:11 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Protecting Active Directory 1. Multiple DCs in diseparate
locations.
2. Virtual DC for each domain that is shut down nightly and
the disk file for each is copied to some other location.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Philadelphia, Lynden - Revios Toronto Sent: Tuesday, March 02, 2004 3:49 PM To: '[EMAIL PROTECTED]' Subject: [ActiveDir] Protecting Active Directory Importance: High What is the best way to backup your domain controller so
you can restore it in a disaster situation. |
- RE: [ActiveDir] Protecting Active Dire... joe
- RE: [ActiveDir] Protecting Active Dire... Roger Seielstad
- RE: [ActiveDir] Protecting Active Dire... Salandra, Justin A.
- RE: [ActiveDir] Protecting Active Dire... Rimmerman, Russ
- RE: [ActiveDir] Protecting Active Dire... Roger Seielstad
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active... joe
- RE: [ActiveDir] Protecting Ac... mahocraf
- [ActiveDir] Changing DNS ... Douglas M. Long
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al
- [ActiveDir] OT: Toolkit CD David Adner
- RE: [ActiveDir] OT: Toolkit ... Douglas M. Long
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al
- RE: [ActiveDir] Protecting Active Dire... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] Protecting Active Dire... Mulnick, Al
