Not that it was originally my idea, but I think if I were to follow along that logic, I'd want to be able to grant rights to an object to an OU (and maybe a special container?) That would allow a more dynamic membership (and some chaos of course) that would be allowed access to a resource. For example, if I create an OU called ou=corp,dc=domain,dc=com and I want to grant permissions to some object such as a file share such that all objects in the OU corp had permissions to the share, I could do that. That has the added ability that as users are added they would "automagically" have access to the share without further work. A strong argument could be made that I would rather just create a group and place the OU members in it and cause the group to be updated on changes (vs. dynamic group membership- on-the-fly-sort-of-thingy). My preference would be the latter, because I don't want delegated rights to an OU to get in the way of resource access. Too messy. But a group object with an update schedule could be useful to me (maybe similar to the way the logonhours schedule works?) I'd also like to see better delegations of user permissions. For example, I'd like to see better delegation to allow users with opposable thumbs, dyslexia (not to make fun of dyslexics) and a drinking problem (don't try this at home) the ability to manage an OU without giving them any more rights than they absolutely need. I believe there was a conversation somewhere around here earlier about delegating the movement of objects and how much rights that requires; I'd like to see that smoothed out a bit. Stuart had a good idea with a true undelete. That should be configurable as to duration similar to how Exchange maintains mailbox data. I realize it's a different app, but think of how much the disk vendors would LOVE you for it and administrators would sing your praises. Oh, and in your spare time, maybe something with backup/restore into lab environments could be done? How's that door opening business coming along? ;)
________________________________ From: [EMAIL PROTECTED] on behalf of Brett Shirley Sent: Tue 8/2/2005 4:31 PM To: [email protected] Subject: RE: [ActiveDir] Biggest AD Gripes About the OU thing, is what you are asking for, that you should basically be able to make the OU just a normal security group? -B On Tue, 2 Aug 2005, WILLIAMS, J.D. wrote: > I dislike OUs not being able to act as security principals (right > terminology?) I'd like to assign rights on various objects to OUs as well as > groups and individuals. > > I second Joe's gripe about branch replication > > JD > > > -----Original Message----- > From: joe [mailto:[EMAIL PROTECTED] > Sent: Tuesday, August 02, 2005 11:25 AM > To: [email protected] > Subject: [ActiveDir] Biggest AD Gripes > > So what are everyone's biggest AD Gripes? I am not talking about gripes > about things that use AD like GPOs[1] or Exchange or NFS or anything else > like that. I mean actual AD really missed the boat because of this that or > the other thing. > > Like > > o I dislike that when you defunct an attribute it doesn't purge the > information in the directory for that attribute. > > o The fact that AD Security policy is managed through a technology dependent > on AD and replicates both within AD and the other technology. > > o I dislike that there is no true schema delete. > > o I dislike the fact that I can't specify which branches of the tree > replicate where. > > o I dislike the fact that GUIDs are represented in multiple ways in the > directory. > > o I dislike the implementation of property sets especially since they could > be so incredible awesomely cool. Specifically I dislike that an attribute > can only be in a single property set. > > o I dislike creator/owner on SDs. > > o I dislike the lack of configurable business rules. > > o I dislike the fact that I can't run multiple domains on a single domain > controller. > > > > Etc etc. I have more but lets see what others say. Everyone pipe up. Let's > pretend that MS will actually see this, let's further say let's pretend MS > AD Developers will see this. What would you tell them if you were sitting in > the room with them? > > > > joe > > > > > > [1] I do not consider GPOs to be part of AD. They are a technology that > leverages AD. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<winmail.dat>>
