|
Excellent, thanks Vladimir. I had heard of the issue but
not that a solution other then removing the objectclass index had been put
forth. I am a great fan of indexing objectclass and it is one of the first
things I tell people to do so of course I didn't like the removing the
objectclass index idea and was concerned when the customer was discussing that
possibility.
I wouldn't expect any multivalue attribute to be able to be
sortable. What would be the key? Which specific value? Sort the values and then
sort by the winner of that? I think excluding any mv indexed attributes might be
a good valid design choice if isn't already implicitly done.
I was trying to dupe the issue manually with ADFIND and
when I try to set up for an objectclass sort in ldap_search_init_page AD on 2K
and K3 both throw Unavailable Critical Extension errors (DSID=031401A2). They
don't do that for other mv attribs such as proxyAddresses but they also
don't sort the records either.
joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vladimir Turin Sent: Thursday, December 30, 2004 10:01 AM To: [email protected] Subject: RE: [ActiveDir] Delegation of Control Wizard Well, I felt
like providing some response Here is the
story. EDM web interface allows you to sort by a particular attribute if you
click on column caption. Column captions are “clickable” only for the attributes
which are indexed in active directory. One our customer (and Joe probably knows
who I am talking about) marked objectClass attribute as indexed. Caption became
“clickable”, but sort wasn’t working because Active Directory ignores the fact
objectClass is indexed and does not sort (using server-side sort control)
anyways. The story became even worse – domain controllers (W2KSP4 and W2K3)
started crashing and rebooting on attempts to issue sort control over
objectClass attribute. After some
“troubleshooting process” Microsoft has confirmed the bug in Active Directory.
They “fixed” it by a private fix (contact me directly if you need hotfix
number). Domain controllers do not crash anymore after applying this hotfix –
but objectClass isn’t sortable anyways. We worked
around the issue (in the version 5.1.658 – if you care) and do not make “Type”
caption clickable even for those smart customers who have indexed
it. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Absolutely, that is
definitely one product that will do it and the first one I had in mind when I
posted. Keep in mind though that this functionality isn't terribly difficult to
put together and do through a website either for those who don't have the bucks
to buy a full blown tool. The hardest part is maintaining good security in the
app you build. I did hear
an interesting rumour about EDM though that it displayed some info in one of the
screens by indexed attributes and if you index objectclass it torks up the
display pretty bad. I don't have first hand experience or the bits to test it.
If that is so, that kind of sucks.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Perdue David J Contr
InDyne/Enterprise IT Aelita
(now Quest) has an app (used to be Enterprise Directory Manager) that will
allow that level of granuality. It utilizes a SQL database to store the
additional information and acts as a go between for the user and AD. It
provides some really neat functionality besides this
feature. Dave //SIGNED// ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Enabled/Disabled is
maintained in the userAccountControl. Unfortunately that is a flag attribute and
controls several things like not requiring passwords, etc. See http://msdn.microsoft.com/library/default.asp?url=""> for
a semi-accurate listing. I say semi-accurate because say lockout isn't handled
there any more... Strictly
speaking, you can not directly delegate the ability to only disable/enable
accounts within AD natively. You would need some system that follows business
rules for you and does the work through proxy such as an enterprise manager or
web site or something.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Olegario,
Alan Thanks for
the info. Would you know what permissions need to be set if we want to
give them the right to ONLY enable an account if it's
disbled? Thanks
again. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe Well it is
the same in 2K and K3. You give the following
permissions WRITE
lockoutTime CA Reset
Password You can do
that with subinacl or adsiedit or ADUC (using dssec.dat
mods). All
permissioning in AD should be to security groups and you add people to security
groups. One thing you don't want to do that I have been seeing a lot of lately
is 10 different groups with reset password. Secure the resource with a resource
specific group and then add people/groups to that resource group.... I.E. If you
have some people that can unlock, some can reset, have two groups. One for
unlock, one for reset. If people who can unlock can reset, use one group.
You should
do these delegations at the OU level, not piecemeal user by
user.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Olegario,
Alan We are looking to give our helpdesk
only the rights to reset passwords and unlock accounts. We found that in
Win2k that this was difficult to do using the Delegation of Control Wizard, so
we did it using a security group. But now, I've been reading that it
should be much easier in Win2k3. Does anyone know the exact permissions
that we would need to give our helpdesk so that the only thing they can do reset
passwords and unlock accounts? Thanks. Alan
Olegario Tiffany
& Co. The information contained in this email
message may be privileged, confidential, and protected from disclosure. Any
unauthorized use, printing, copying, disclosure, dissemination of or reliance
upon this communication by persons other than the intended recipient may be
subject to legal restriction or sanction. If you think that you have received
this E-mail message in error, please reply to the sender and delete this email
promptly. The information contained in this email
message may be privileged, confidential, and protected from disclosure. Any
unauthorized use, printing, copying, disclosure, dissemination of or reliance
upon this communication by persons other than the intended recipient may be
subject to legal restriction or sanction. If you think that you have received
this E-mail message in error, please reply to the sender and delete this email
promptly. |
