Slight mod to this sentence especially since the CURRENT primary use of such groups THAT WE ARE FAMILIAR WITH is distributing emails.
I am seeing more and more use of these non-NT Security enabled groups in functions other than email delivery. And for this > I take "both could be used for either" to actually mean "both could be > used for DISTRIBUTION" since they are both technically not equally > interchangeable, as you clarified in your email. Both can be used for distribution, both can be used for security, however both can not be used for "NT Security" when there is a dependency of the SID being placed in the token of the user to initiate the secured response. I was watching UNIX based apps and even one Windows based app using AD non-NT Security enabled groups for security several years ago. It makes a ton of sense since you don't have the concern of token bloat due to SIDs. For an application based security environment I think it makes far more sense than, for instance, checking for a control access right on an object based on the SID in the token. Look around at how much trouble people have dealing with SIDs in comparison to a DN. All of the SID stuff is very Windows-centric for a directory that is pushing to be the centerpiece of a multiple platform SSO enabler. If I am sitting on a UNIX box and I need to determine who has access to some aspect of the system am I going to use a SID? How hard is it to chase that back to a unique principal, think of what the procedure needs to be to chase that down for an OS that can natively resolve it. Also consider the length of time it can take to resolve SIDs on an OS that can natively resolve it, ever sit there waiting for SIDs to turn into names? Consider SID resolution has to go through objectsid for an entire forest, then sidHistory, and then chase into every trusted realm that isn't part of the forest. It is pretty complicated. Now bring into the picture ADAM SIDs as well which don't resolve so well with the native interfaces... Of course the thing that makes this a bit painful is the whole resolving full group membership for a given user across a forest or multiple forests. It is less painful though now that the QP knows how to use the implicit indexes of the linked attributes but still not as easy as it might me. I totally disagree that anything from .NET is the global answer to this. Forcing that to be the answer really closes down the answer to the Windows world which already has an answer, SIDs and NT Security. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, September 23, 2005 2:18 AM To: [email protected] Subject: RE: [ActiveDir] When you change group scopes by using a combination of the Dsquery command >>>As an aside, I dislike the use of the word distribution groups and security groups because both could be used for either. Any group can be a distribution group, the groups are simply NT security enabled or not NT security enabled. Which is why you need to distinguish between them. "Non-NT Security Enabled Group" does not sound as logical as "Distribution Group", especially since the primary use of such groups is distributing emails. In the same vein, "NT Security Enabled Group" is less sexy than simply saying "Security Group", again since the primary use of such group is in the security/permissioning/delegation space, although it could serve the "distributing" purposes too, as you mentioned. I take "both could be used for either" to actually mean "both could be used for DISTRIBUTION" since they are both technically not equally interchangeable, as you clarified in your email. Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of joe Sent: Thu 9/22/2005 10:22 PM To: [email protected] Subject: RE: [ActiveDir] When you change group scopes by using a combination of the Dsquery command <G> That is why ADMOD doesn't currently support a group scope type of switch along with other bitwise type ops (such as disable, etc). There are difficulties as you will see below. I expect the fix for this is probably pretty inefficient and could be quite slow if updating a lot of objects, my guess is that it does a lookup on every object prior to updating it to get the current value, no other way to really do it, this means two calls for every update. A more efficient way would be to create a query that picks out the NT security enabled groups and changes their scope and then do it again for non NT security enabled groups. Of course you would have to use the older un-fixed version of dsmod or use admod. As an aside, I dislike the use of the word distribution groups and security groups because both could be used for either. Any group can be a distribution group, the groups are simply NT security enabled or not NT security enabled. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Thursday, September 22, 2005 8:36 PM To: [email protected] Subject: [ActiveDir] When you change group scopes by using a combination of the Dsquery command When you change group scopes by using a combination of the Dsquery command the Dsmod command, all the group types are changed to either distribution groups or security groups on a Windows Server 2003-based computer: http://support.microsoft.com/?kbid=898063 -- Letting your vendors set your risk analysis these days? http://www.threatcode.com List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
