not making it a security group... being able to use it as a security principal and also being able if it will be used just as an OU (so it is not added to the access token) or as a security principal OU (so it will be added to the access token) As a user is a child object of the OU and in that situation the SID of the OU should be added to the access token of the it is a security OU. It should also be possible if a parent OU is a security OU and the next number of child OUs are not security OUs and if a user is in the deepest OU it should still get the highest parent OU, otherwise all the intermediate OUs must also be security OUs and then you might het a fully loaded access token with unused SIDs #JORGE#
________________________________ From: [EMAIL PROTECTED] on behalf of Brett Shirley Sent: Tue 8/2/2005 10:31 PM To: [email protected] Subject: RE: [ActiveDir] Biggest AD Gripes About the OU thing, is what you are asking for, that you should basically be able to make the OU just a normal security group? -B On Tue, 2 Aug 2005, WILLIAMS, J.D. wrote: > I dislike OUs not being able to act as security principals (right > terminology?) I'd like to assign rights on various objects to OUs as well as > groups and individuals. > > I second Joe's gripe about branch replication > > JD > > > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 02, 2005 11:25 AM > To: [email protected] > Subject: [ActiveDir] Biggest AD Gripes > > So what are everyone's biggest AD Gripes? I am not talking about gripes > about things that use AD like GPOs[1] or Exchange or NFS or anything else > like that. I mean actual AD really missed the boat because of this that or > the other thing. > > Like > > o I dislike that when you defunct an attribute it doesn't purge the > information in the directory for that attribute. > > o The fact that AD Security policy is managed through a technology dependent > on AD and replicates both within AD and the other technology. > > o I dislike that there is no true schema delete. > > o I dislike the fact that I can't specify which branches of the tree > replicate where. > > o I dislike the fact that GUIDs are represented in multiple ways in the > directory. > > o I dislike the implementation of property sets especially since they could > be so incredible awesomely cool. Specifically I dislike that an attribute > can only be in a single property set. > > o I dislike creator/owner on SDs. > > o I dislike the lack of configurable business rules. > > o I dislike the fact that I can't run multiple domains on a single domain > controller. > > > > Etc etc. I have more but lets see what others say. Everyone pipe up. Let's > pretend that MS will actually see this, let's further say let's pretend MS > AD Developers will see this. What would you tell them if you were sitting in > the room with them? > > > > joe > > > > > > [1] I do not consider GPOs to be part of AD. They are a technology that > leverages AD. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ This e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
<<inline: winmail.dat>>
