I'll check back on the cats reference to the first edition as I suspect
the O'Reilly covers last longer than
the binding...I do remember reading (perhaps someones sig) about dogs
having owners, cat's having staff...
I find that quite a good description ... mine are at best 'ambivalent'.
Regards the book, looks like the principle of the spoken word holding
more value than the written one
still holds true.. although you have to realise I speak from a position
of selfishness... otherwise I'd be out
of a job :-)
Mylo
joe wrote:
Thanks. :)
Re: the animal pics, that is probably the second most common type of
question I hear. First being, are you rich from the book and the second
being why did you pick a cat for the cover. The second is that I picked by
picking the book with the cat on the cover to work on, it was the cover
since 2000 (first edition was red and black though instead of black and
blue). I think cats are great for the cover because
a. I really like cats. My cat rules my house with an iron paw.
b. I like the curiosity / exploring aspect of cats and think it works in
with joeware well.
C. Better than say a gecko or a camel or a bat or something.
Authors DO NOT get to pick the cover animal. Here is a little article on the
O'Reilly cover animals...
http://www.oreilly.com/news/lejeune_0400.html
On the positive side by the end of last summer, I hated the book, didn't
want to see it again ever. Now I actually quite like it and find myself
paging through it at different times looking for info to tell people knowing
I (or Robbie or Alistaire) probably explained it better in there than I am
going to do just winging it.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, April 15, 2006 8:49 PM
To: [email protected]
Subject: Re: [ActiveDir] Property Sets and AD Security woes
Joe,
Shame about the lack of champagne moments on the book. I tend to be rather
succinct on e-mail but this sort of response deserves the same.... so point
for point :-)
1. I went to a TechMentor conference San Franscisco in 2001, remember
reading Alistair's 1st Edition and wondering why the binding on the book was
SO bad... it fell apart on the return trip.. it turned out to be great
picking up those 'anecodatal' AD tips that had fallen apart all over my
apartment (never was good at housecleaning)
2. At the risk of being sycophantic I'm not going to comment on this point
aside from the fact that you do post to this forum 'occasionally'
3. Remember doing an Internet competency exam on NDS back in 2000 and being
ranked 3rd in the world for about 3 1/2 minutes/days until the masses joined
in..... the printout sufficed for my parents though ..that's a bronze medal
dontcha know :0)
4. Yeah, went thru the Active.Dir archives tonight about property sets and
you've already summarised most of the questions in previous posts, so the
</cut> </paste> snippets are sort of understandable...
5. Here I can offer an insight.. have a similar relationship with the
girlfriend about domestic chores... not quite the same but it's the
principle you understand :-)
I can't comment too much on O'Reilly and the (esoteric) side of publishing
but then again as a reader I get the benefit of snooping the book in the
store before buying them.....not quite sure about how the connection with
the animal pictures on the front works tho.. is that a joeware.net home page
reference on the front?
Back to the subject at hand I'll bear in mind what you said about
Outlook/Exchange...I'd like to think that the changes to the property sets
is doable but it's a big client and any changes to "defaults" and the
implications support-wise will probably mean that any solution I come up
with (under consultation) will not fly.
Regards,
Mylo
joe wrote:
Oh no, no bright lights, no big city. No champagne wishes and caviar
dreams.
I knew that going in. It was never about the money. I did the book for
a couple of main reasons
1. That is the first book I read to learn about Active Directory and it
seemed poetic for me to come full circle and actually work on it.
2. I knew that it needed some help and I could supply that help and in
turn help the overall community, especially folks getting started.
3. I knew my mom, grandmother, and Aunt would love it.
4. It is a time saver when posting. I can say, go get this book and read
it.
Or check out chapter 11 or chapter 18 or what not. :)
5. I promised Robbie I would eventually do a book for him and O'Reilly.
He kept bringing it up and I kept turning it down and when he didn't
let me off the hook after writing the Exchange chapter for the Windows
Server Cookbook I knew I was going to have to say yes to something and
he finally he hit me with this one.
I don't know how most authors think about O'Reilly, I found them
somewhere between interesting to annoying. We "spoke" at great length
about timelines and such. As a rule it seemed that if they needed
something they were quite fervant and pushy about it, but were not
quite so "into it" when it was the other way around. Would I write
another book for them? Probably not unless I had written it already and
came up with an equitable agreement with them to publish and distribute
it as is. I have no problem reviewing books for them which I have done a
ton of, that tends to go much better.
Besides testing Exchange, test Outlook extensively. Do things like
modify info etc and see how it goes. Outlook tends to react poorly to a
lot of things that is should, but doesn't, expect. I have had the
opportunity to experience Outlook crashing in the most spectacular
fashions when playing with the visibility or changeability of various
AD attributes. If you have a multidomain production forest you
absolutely want to test Exchange in that environment in the lab because
Exchange's visibility to things in the GC is handled through unexpected
permissions. For instance you would expect everything Exchange needed
access to would be granted to the Exchange groups and would have proper
scope everywhere meeded, this is not correct, Exchange tends to fall back
to Auth User access rights in the GCs quite often.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, April 15, 2006 12:31 PM
To: [email protected]
Subject: Re: [ActiveDir] Property Sets and AD Security woes
Yes, even with my relatively untrained eye I can see the difference in
the default descriptors....
I think I'll have a go at changing the defaults within a VM, install
Exchange on top and see whether it expires.
Aahhh... bless Father O'Reilly... and here was me thinking that as soon
as you get your name in print it's 'hello bright lights big city'
THAT must be why the book is on its 3rd edition then Joe ;-)
Thanks again for the heads-up.
Regards,
Mylo
joe wrote:
Mildly ironic... or could it be almost sardonic one wonders...
The proceeds will clear up coughs at O'Reilly HQ far quicker than it
will clear up any coughs for me. Unfortunately I am but an author.
Now that these permissions are "out there", it will be difficult for
MS to retract them as they and others have become dependent on them in
Active Directory. On the positive side, this overly generous mood
wasn't in place for ADAM so if you look at the Default SDs on ADAM
schema objects you will see that they are all clear I.E. Inherited
permissions all work as you would expect. If you add in the optional
schema mods such as user you will see your first default SDs in ADAM
but
even that is much better than it was.
F:\Dev\Perl\TrackADUpds>adfind -sc s:user defaultsecuritydescriptor
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
Using server: 2k3dc01.joe.com:389
Directory: Windows Server 2003
Base DN: CN=Schema,CN=Configuration,DC=joe,DC=com
dn:CN=User,CN=Schema,CN=Configuration,DC=joe,DC=com
defaultSecurityDescriptor:
D:(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;DA)(A;;RPWPCRCCDCLCLORCWOWDSDDTSW;;
;
SY)(A
;;RPWPCRCCDCLCLORCWOWDSDDTSW;;;AO)(A;;RPLCLORC;;;PS)(OA;;CR;ab721a53-1
e
2f-11
d0-9819-00aa0040529b;;PS)(OA;;CR;ab721a54-1e2f-11d0-9819-00aa0040529b;
;
PS)(O
A;;CR;ab721a56-1e2f-11d0-9819-00aa0040529b;;PS)(OA;;RPWP;77B5B886-944A
-
11d1-
AEBD-0000F80367C1;;PS)(OA;;RPWP;E45795B2-9455-11d1-AEBD-0000F80367C1;;
P
S)(OA
;;RPWP;E45795B3-9455-11d1-AEBD-0000F80367C1;;PS)(OA;;RP;037088f8-0ae1-
1
1d2-b
422-00a0c968f939;;RS)(OA;;RP;4c164200-20c0-11d0-768-00aa006e0529;;RS)(
O
A;;RP
;bc0ac240-79a9-11d0-9020-00c04fc2d4cf;;RS)(A;;RC;;;AU)(OA;;RP;59ba2f42
-
79a2-
11d0-9020-00c04fc2d3cf;;AU)(OA;;RP;77B5B886-944A-11d1-AEBD-0000F80367C
1
;;AU)
(OA;;RP;E45795B3-9455-11d1-AEBD-0000F80367C1;;AU)(OA;;RP;e48d0154-bcf8
-
11d1-
8702-00c04fb96050;;AU)(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD
)
(OA;;
RP;5f202010-79a5-11d0-9020-00c04fc2d4cf;;RS)(OA;;RPWP;bf967a7f-0de6-11
d
0-a28
5-00aa003049e2;;CA)(OA;;RP;46a9b11d-60ae-405a-b7e8-ff8a58d456d2;;S-1-5
-
32-56
0)(OA;;WPRP;6db69a1c-9422-11d1-aebd-0000f80367c1;;S-1-5-32-561)
F:\Dev\Perl\TrackADUpds>adfind -h . -sc s:user
defaultsecuritydescriptor
AdFind V01.31.00cpp Joe Richards ([EMAIL PROTECTED]) March 2006
Using server: fastmofo.joe.com:389
Directory: Active Directory Application Mode Base DN:
CN=Schema,CN=Configuration,CN={E2327B69-8172-4611-803F-1CBBF85F78FA}
dn:CN=User,CN=Schema,CN=Configuration,CN={E2327B69-8172-4611-803F-1CBB
F
85F78
FA}
defaultSecurityDescriptor:
D:(OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)S:
1 Objects returned
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Saturday, April 15, 2006 11:25 AM
To: [email protected]
Subject: Re: [ActiveDir] Property Sets and AD Security woes
Thanks Joe. I'll follow up your book reference [1]...... hopefully the
proceeds will clear up that cough of yours :0) As for the property
sets, it's mildly ironic that it's for Exchange that we're considering
the PhysicalDeliveryOfficeName change and IT turns out to be the most
likely application that stands to suffer from moving away from the
defaults. It would have been nice if MS had not been so free with the
self permissioning and I wonder whether 'greenfield' AD permission
structures are changing in Longhorn?
Cheers for the link... I'll read the chapter and check previous
archive posts as you suggested.
Regards,
Mylo
joe wrote:
This isn't a real simple thing to answer in a quick post. Whole
chapters in books have been written on the subject <cough>look at the
signature[1]</cough>.
Luckily the one of the security related chapters of that book is
available online free... Check it out
http://www.oreilly.com/catalog/actdir3/chapter/ch11.pdf
It talks about some of the options available.
One word of warning is that changing property sets can be troublesome.
It can be done in K3 AD and ADAM with some specific exceptions but
you have to understand everything you are impacting (especially if
using or will eventually use Exchange).
There are several different types of solutions here though
1. Write explicit ACES on every user object. Messy, administratively
intense most likely.
2. Remove the Prop Sets granted to SELF from the schema def and clean
up existing ACLs.
3. Change the property set(s).
4. Use a provisioning system to pull the info from an authoritative
(and
protected) source and have it change things back that users are changing.
They all have their own pros and cons. The main thing to think about
when locking down or modifying the prop sets is that you really need
to understand what is using those permissions because you could
quickly make yourself have a very bad day. Also if running Exchange
and you have a Premier support and you want to move properties out of
a property set, it is good to get in writing from Premier that they
will support that configuration. When I last asked them about this
when I wanted to do it they said it would be unsupported.
Anyway, read that chapter, look in the archives for any number of
posts
from primarily Guido Grillenmeier or myself as we have both written
oodles on this. Also eventually Guido's book (he is working on with
Jan) will be out as well which will have a lot of AD Security info too.
Also Sakari Kouti (another list denizen) has a great book out there
(Inside Active Directory 2nd Edition) with an amazing security
chapter (chapter 4 if I recall correctly). Come back here with more
questions.
joe
--
[1] O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mylo
Sent: Friday, April 14, 2006 1:44 PM
To: [email protected]
Subject: [ActiveDir] Property Sets and AD Security woes
Hi All,
Quick question.. I'm looking to replace the default permissions that
the Personal-Information property set provides within AD, having
establish that the PhysicalDeliveryOfficeName (Office) attribute
falls under this set... I was originally planning on doing this with
dsacls against the parent OU, in order to prevent ordinary users
changing its value.... a few hours of testing later and a little
wiser, I've noticed that SELF sort of screws my plans up here as
explicit permissions are taking precedence over inherited ones.. no
surprise there but I'm now thinking of changing the Default Property
Sets within AD (test first then production)... has anyone had any
experience or success out of attempting to constrain (SELF) user
access to specific
attributes.....
is the default property set approach the best/only way or is there a
simpler solution? Hint: I'm trying to stop users changing attributes
via tools such as GALMOD32.
Appreciate any feedback!
Many thanks,
Mylo
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
