|
LOL. I loved that commercial.
So Rick which monkey were you? The old grey hair enjoying
the gluteal attention or the younger one giving the
attention?
:o)
Sorry for the relative silence. Been pretty buried helping
a customer try to work out various issues with weird attributes in AD in
relation to Exchange. Trying to chase down where they are coming from and what
is setting them. I am slowly starting to learn about EDM now and attributes it
is setting and how it is setting them.
Oh yeah, also putting finishing touches on ADFIND
V01.26.00... I had to fix it for something in K3 SP1 and I wanted a few features
for something else so I added them in. One that people may like allows them to
get the owner of objects easily. It will output as a regular attribute or I
worked out a way to output a DN;owner format.
F:\DEV\cpp\AdFind>adfind -default -s one
-ownercsv
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED])
February 2005
"CN=Builtin,DC=joe,DC=com";"BUILTIN\Administrators" "CN=Computers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Domain Controllers,DC=joe,DC=com";"JOE\Domain Admins" "OU=Exchange,DC=joe,DC=com";"JOE\Domain Admins" "CN=ForeignSecurityPrincipals,DC=joe,DC=com";"JOE\Domain Admins" "CN=Infrastructure,DC=joe,DC=com";"JOE\Domain Admins" "CN=LostAndFound,DC=joe,DC=com";"JOE\Domain Admins" "CN=Microsoft Exchange System Objects,DC=joe,DC=com";"JOE\Domain Admins" "CN=NTDS Quotas,DC=joe,DC=com";"JOE\Domain Admins" "CN=Program Data,DC=joe,DC=com";"JOE\Domain Admins" "CN=System,DC=joe,DC=com";"JOE\Domain Admins" "OU=TestOU,DC=joe,DC=com";"JOE\Domain Admins" "CN=Users,DC=joe,DC=com";"JOE\Domain Admins" Another fun thing is finding all unique security principals
that "own" an AD object.
F:\Dev\CPP\AdFind>adfind -h 2k3dc01 -gc -b -f *
-owneronly -nodn -nolabel -q |unique
BUILTIN\Administrators CHILD1\Domain Admins JOE\$jricha34 JOE\2K3DC01$ JOE\2K3EXC01$ JOE\2K3EXC02$ JOE\2K3UTL01$ JOE\Domain Admins JOE\Enterprise Admins JOE\FASTMOFO$ JOE\Schema Admins NT AUTHORITY\SYSTEM joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 09, 2005 12:16 AM To: [email protected] Subject: RE: [ActiveDir] Exclude a specific user (or group) from a GPO (WMI Filter?) Yeah – I agree with
Darren on this one. Picture the Yeknom Inc. (CareerBuilder.Com)
commercials that aired during the Super Bowl. Picture a gray-haired Monkey
standing in his chair, and a younger chimp kissing his
butt. Yep – American
Capitalism at its finest. -rtk From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Darren
Mar-Elia I agree with Joe here
(it happens sometimes). Leave the DDP alone for this kind of stuff, esp. if
it is also the GPO you use to manage domain account policy. I don't have any
problem with you linking the GPO at the domain if it truly applies to almost all
users in the domain, esp. if the alternative is having to link the same GPO all
over the place to get full coverage anyway. Just put it in a different GPO than
the DDP and use a Deny Apply Group Policy ACE for your CEO (or better
yet a group containing your CEO). And, as to why the CEO
shouldn't be subject to the same policy as everyone else, its called American
Capitalism :-). Since when was a CEO subject to the same anything as the rest of
the employees? From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe If you have any
intention of excluding your CEO or anyone else from any other policies you
should probably better scope your GPOs. Don't make the changes in the domain
policy, in fact I rarely recommend anyone change things in that policy except
for the things that they absolutely have to. Put the policies down on the OU(s)
where the users/computers are. Then place the users and computers in the OU
specific to the policy they should have. BTW, why shouldn't the
CEO have a machine configured like everyone else?
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Jason B In this example, I want to exclude
our CEO from having a forced IE start page through GPO, while the remainder of
our domain keeps a forced homepage. Is the best way to go about this, to
write a WMI filter to exclude that specific user, or is there some better way to
do it, as we have this set in our Default Domain
Policy? If so, can anyone point me to a good
tutorial for writing such a WMI script? Thanks. |
