|
Well, I felt
like providing some response Here is the
story. EDM web interface allows you to sort by a particular attribute if you
click on column caption. Column captions are “clickable” only for
the attributes which are indexed in active directory. One our customer (and Joe
probably knows who I am talking about) marked objectClass attribute as indexed.
Caption became “clickable”, but sort wasn’t working because
Active Directory ignores the fact objectClass is indexed and does not sort
(using server-side sort control) anyways. The story became even worse –
domain controllers (W2KSP4 and W2K3) started crashing and rebooting on attempts
to issue sort control over objectClass attribute. After some “troubleshooting
process” Microsoft has confirmed the bug in Active Directory. They “fixed”
it by a private fix (contact me directly if you need hotfix number). Domain
controllers do not crash anymore after applying this hotfix – but objectClass
isn’t sortable anyways. We worked
around the issue (in the version 5.1.658 – if you care) and do not make “Type”
caption clickable even for those smart customers who have indexed it. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Absolutely, that is
definitely one product that will do it and the first one I had in mind when I
posted. Keep in mind though that this functionality isn't terribly difficult to
put together and do through a website either for those who don't have the bucks
to buy a full blown tool. The hardest part is maintaining good security in the
app you build. I did hear an interesting
rumour about EDM though that it displayed some info in one of the screens by
indexed attributes and if you index objectclass it torks up the display pretty
bad. I don't have first hand experience or the bits to test it. If that is so,
that kind of sucks. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT Aelita
(now Quest) has an app (used to be Enterprise Directory Manager) that will
allow that level of granuality. It utilizes a SQL database to store the
additional information and acts as a go between for the user and AD. It
provides some really neat functionality besides this feature. Dave //SIGNED// ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Enabled/Disabled is
maintained in the userAccountControl. Unfortunately that is a flag attribute
and controls several things like not requiring passwords, etc. See http://msdn.microsoft.com/library/default.asp?url=""> for
a semi-accurate listing. I say semi-accurate because say lockout isn't handled
there any more... Strictly speaking, you
can not directly delegate the ability to only disable/enable accounts within AD
natively. You would need some system that follows business rules for you and
does the work through proxy such as an enterprise manager or web site or
something. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan Thanks for the
info. Would you know what permissions need to be set if we want to give them
the right to ONLY enable an account if it's disbled? Thanks again. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Well it is the same in 2K
and K3. You give the following permissions WRITE lockoutTime CA Reset
Password You can do that with
subinacl or adsiedit or ADUC (using dssec.dat mods). All permissioning in AD
should be to security groups and you add people to security groups. One thing
you don't want to do that I have been seeing a lot of lately is 10 different
groups with reset password. Secure the resource with a resource specific group
and then add people/groups to that resource group.... I.E. If you have some
people that can unlock, some can reset, have two groups. One for unlock, one
for reset. If people who can unlock can reset, use one group. You should do these
delegations at the OU level, not piecemeal user by user. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Olegario, Alan We are looking to give our helpdesk
only the rights to reset passwords and unlock accounts. We found that in
Win2k that this was difficult to do using the Delegation of Control Wizard, so
we did it using a security group. But now, I've been reading that it
should be much easier in Win2k3. Does anyone know the exact permissions
that we would need to give our helpdesk so that the only thing they can do
reset passwords and unlock accounts? Thanks. Alan Olegario Tiffany & Co. The information contained in this email message may be
privileged, confidential, and protected from disclosure. Any unauthorized use,
printing, copying, disclosure, dissemination of or reliance upon this
communication by persons other than the intended recipient may be subject to
legal restriction or sanction. If you think that you have received this E-mail
message in error, please reply to the sender and delete this email promptly. The information contained in this email message may be
privileged, confidential, and protected from disclosure. Any unauthorized use,
printing, copying, disclosure, dissemination of or reliance upon this
communication by persons other than the intended recipient may be subject to
legal restriction or sanction. If you think that you have received this E-mail
message in error, please reply to the sender and delete this email promptly. |
