Well, this is possible with 3rd party apps. I'm actually
looking at some right now (the link below contains one such
vendor).
All changes can be made offline and the ultimate 'make it
so' action needs to be approved and can be configured to occur within the
context of a service account.
... the 'undo it all' button exists too
:)
Darren has great ideas and has published some great
utilities - he's competing with the big boys if he goes it alone though
:)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 18 May 2006 14:28
To: [email protected]
Subject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
Yep. Now if we could just make it illegal to operate a GPO
without a license or required the gomers of the world to get someone to drive
them... Or if in order to enable powerful things you had prove you knew how to
undo them or what they actually meant. We need a "completely undo everything I
just screwed up" button and it needs to be big, red and
blinking.
I am looking forward to great things out of (last
item)
I know this ol mucker has some good
ideas.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Thursday, May 18, 2006 3:58 AM
To: [email protected]
Subject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
Totally agree joe, and that's why 3rd party vendors offer
GPO mgmt tools and why Longhorn (or later) may introduce similar tools
(allegedly).
That aspect is badly needed in the world of GPOs
:)
neil
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: 18 May 2006 01:17
To: [email protected]
Subject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
Don't you love GPOs?
I was just chatting with a good friend about them the other
day about GPOs. Seems someone modified a GPO (allegedly only one small unrelated
thing) and all of a sudden the NIC was broken and clustering was screwed and all
sorts of stuff was happening. This prompted me to say something like... GPOs are
a great technology that make it possible to easily do things you could already
fairly easily do (and were doing) if you knew how to properly automate things
like many large enterprise admins already do daily. So basically they make it so
gomers could also easily do this stuff too but the sad thing is that it wasn't
set up in a way to be safe for gomers to use (i.e. easy to hurt themselves). So
the one main group of people who have to use it are the one main group of people
you really don't want to see use it.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner
Sent: Monday, May 15, 2006 3:05 PM
To: [email protected]
Subject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it important
GREP?
Whats GREP! ;-)
Great
idea - forgot about that one.
GPOs
are really a big point here - I've seen an enterprise going down because of
that.
GPMC
with backup / import (instead of backup / restore) might help here as
well.
Gruesse - Sincerely,
Ulf B. Simon-Weidner
Profile
& Publications: http://mvp.support.microsoft.com/profile="">
Weblog: http://msmvps.org/UlfBSimonWeidner
Website: http://www.windowsserverfaq.org
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Monday, May 15, 2006 3:56 PM
To: [email protected]
Subject: RE: [ActiveDir] Group Name (Pre-Win2k) - Is it importantWindows itself will mostly not have an issue if you don't. Some things that might are custom scripts, batch files, tools, applications, etc that you have written to use those names. The one place I can think of off the top of my head that might have an issue in Windows is if you have set up restricted groups and didn't browse for the group name and instead, simply typed it in, the restricted group may be specified by legacy name instead of SID in the policy files. You can easily find this by GREPping your sysvol with an ID that has suitable permissions to see all policies files for the string that represents the group name. If you know you have used the group that way you may also want positive affirmation that is isn't there by name by also GREPping by the SID.joe
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Teo De Las Heras
Sent: Monday, May 15, 2006 8:42 AM
To: [email protected]
Subject: [ActiveDir] Group Name (Pre-Win2k) - Is it importantWe're making changes to group names in Active Directory. Is it important to keep the Pre-Win2k names the same?Teo
PLEASE READ: The
information contained in this email is confidential and
intended for the
named recipient(s) only. If you are not an intended
recipient of this
email please notify the sender immediately and delete your
copy from your
system. You must not copy, distribute or take any further
action in reliance
on it. Email is not a secure method of communication and
Nomura International
plc ('NIplc') will not, to the extent permitted by law,
accept
responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence
of any virus, worm or similar malicious or disabling
code in, this
message or any attachment(s) to it. If verification of this
email is sought then
please request a hard copy. Unless otherwise stated
this email: (1) is
not, and should not be treated or relied upon as,
investment research;
(2) contains views or opinions that are solely those of
the author and do
not necessarily represent those of NIplc; (3) is intended
for informational
purposes only and is not a recommendation, solicitation or
offer to buy or sell
securities or related financial instruments. NIplc
does not provide
investment services to private customers. Authorised and
regulated by the
Financial Services Authority. Registered in England
no. 1550505 VAT No.
447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A
member of the Nomura group of companies.
PLEASE READ: The information contained in this email is confidential and
intended for the named recipient(s) only. If you are not an intended
recipient of this email please notify the sender immediately and delete your
copy from your system. You must not copy, distribute or take any further
action in reliance on it. Email is not a secure method of communication and
Nomura International plc ('NIplc') will not, to the extent permitted by law,
accept responsibility or liability for (a) the accuracy or completeness of,
or (b) the presence of any virus, worm or similar malicious or disabling
code in, this message or any attachment(s) to it. If verification of this
email is sought then please request a hard copy. Unless otherwise stated
this email: (1) is not, and should not be treated or relied upon as,
investment research; (2) contains views or opinions that are solely those of
the author and do not necessarily represent those of NIplc; (3) is intended
for informational purposes only and is not a recommendation, solicitation or
offer to buy or sell securities or related financial instruments. NIplc
does not provide investment services to private customers. Authorised and
regulated by the Financial Services Authority. Registered in England
no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,
London, EC1A 4NP. A member of the Nomura group of companies.
