RE: [ActiveDir] Biggest AD Gripes

[joe]

Title: RE: [ActiveDir] Biggest AD Gripes

Unfortunately I think the answer for a lot of this business rules kind of thing such as dynamic or rules based groups etc the answer is already determined by MS to be MIIS. I don't often think of MIIS as the answer to managing your AD but I know that is the direction MS is going. It always seemed to me like saying MIIS was the answer was similar to someone saying I have issues with snow with my truck and the answer being loading on a heavy duty fully electronic heated snow plow that takes up all of your attention when you already had no attention span left when instead it could be simply an answer of putting on snow tires and antilock brakes.

 

It is the slap something on top mentality that seems to be rampant right now. Dean has pointed out multiple instances of it in various pieces, one of the more obvious and recent onces is the confidentiality bit... instead of making the core more secure, slap on another piece to add more complexity to get the security that should already be there. But even still, the capability is limited to non-cat 1 attributes which are many of the ones people want to lock down like phoneNumber and employeeID, etc.

 

---

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, August 02, 2005 6:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

Not that it was originally my idea, but I think if I were to follow along that logic, I'd want to be able to grant rights to an object to an OU (and maybe a special container?)  That would allow a more dynamic membership (and some chaos of course) that would be allowed access to a resource. For example, if I create an OU called ou=corp,dc=domain,dc=com and I want to grant permissions to some object such as a file share such that all objects in the OU corp had permissions to the share, I could do that. That has the added ability that as users are added they would "automagically" have access to the share without further work.

 

A strong argument could be made that I would rather just create a group and place the OU members in it and cause the group to be updated on changes (vs. dynamic group membership- on-the-fly-sort-of-thingy). My preference would be the latter, because I don't want delegated rights to an OU to get in the way of resource access.  Too messy.  But a group object with an update schedule could be useful to me (maybe similar to the way the logonhours schedule works?)

 

I'd also like to see better delegations of user permissions. For example, I'd like to see better delegation to allow users with opposable thumbs, dyslexia (not to make fun of dyslexics) and a drinking problem (don't try this at home) the ability to manage an OU without giving them any more rights than they absolutely need.  I believe there was a conversation somewhere around here earlier about delegating the movement of objects and how much rights that requires; I'd like to see that smoothed out a bit. 

 

Stuart had a good idea with a true undelete. That should be configurable as to duration similar to how Exchange maintains mailbox data.  I realize it's a different app, but think of how much the disk vendors would LOVE you for it and administrators would sing your praises.

 

Oh, and in your spare time, maybe something with backup/restore into lab environments could be done?

 

 

How's that door opening business coming along?  ;)

---

From: [EMAIL PROTECTED] on behalf of Brett Shirley
Sent: Tue 8/2/2005 4:31 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Biggest AD Gripes

About the OU thing, is what you are asking for, that you should basically
be able to make the OU just a normal security group?

-B

On Tue, 2 Aug 2005, WILLIAMS, J.D. wrote:

> I dislike OUs not being able to act as security principals (right
> terminology?) I'd like to assign rights on various objects to OUs as well as
> groups and individuals.
>
> I second Joe's gripe about branch replication
>
> JD
>
>
> -----Original Message-----
> From: joe [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 02, 2005 11:25 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Biggest AD Gripes
>
> So what are everyone's biggest AD Gripes? I am not talking about gripes
> about things that use AD like GPOs[1] or Exchange or NFS or anything else
> like that. I mean actual AD really missed the boat because of this that or
> the other thing.
>
> Like
>
> o I dislike that when you defunct an attribute it doesn't purge the
> information in the directory for that attribute.
>
> o The fact that AD Security policy is managed through a technology dependent
> on AD and replicates both within AD and the other technology.
> 
> o I dislike that there is no true schema delete.
>
> o I dislike the fact that I can't specify which branches of the tree
> replicate where.
>
> o I dislike the fact that GUIDs are represented in multiple ways in the
> directory.
>
> o I dislike the implementation of property sets especially since they could
> be so incredible awesomely cool. Specifically I dislike that an attribute
> can only be in a single property set.
>
> o I dislike creator/owner on SDs.
>
> o I dislike the lack of configurable business rules.
>
> o I dislike the fact that I can't run multiple domains on a single domain
> controller.
>
>
>
> Etc etc. I have more but lets see what others say. Everyone pipe up. Let's
> pretend that MS will actually see this, let's further say let's pretend MS
> AD Developers will see this. What would you tell them if you were sitting in
> the room with them?
>
>
>
>    joe
>
>
>
>
>
> [1] I do not consider GPOs to be part of AD. They are a technology that
> leverages AD.
>
> List info   : http://www.activedir.org/Listaspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
> List info   : http://www.activedir.org/Listaspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
>

List info   : http://www.activedir.org/Listaspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/