RE: [ActiveDir] AD, Logon times Custom messages

[Roger Seielstad]

Title: Message



The 
right tool for this job might just be the StIcK(tm) ;)

Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  
  The right tool for the 
  right job. I do not think the place you are looking at is the right place for 
  this job. May I suggest ISA server, or similar web filter 
  programs.HTH
  
  
  
  
  Sincerely,Dj Akmlf, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages
  
  The reject should be logged automatically, but I haven't 
  checked for 
  sure--Roger 
  D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis 
  Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, July 07, 2003 10:52 AM To: 
  [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times 
   Custom messages Well, I just wanted to customize 
  the message for my kids when they try to *sneak* on the computer 
  during the middle of the night. :) As another thought, is 
  there a way to "log" when someone tries to sign on at a restricted 
  time? Charlie -Original 
  Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 
  09:43 To: '[EMAIL PROTECTED]' Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages Best guess 
  is that you cannot modify the message. As is pretty much 
  standard for that type of message in Microsoft products, its 
  coded into a DLL, and the only supportable way to do that would be 
  to engage Microsoft Consulting Services to modify the 
  DLL. However, since I believe that's part of the LSASS process 
  on the client, and that gets patched somewhat 
  regularly by service packs, etc, you'd have to reenage them 
  for every new service pack. IMO, its not worth it. What are 
  you trying to accomplish? 
  -- Roger 
  D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
  Inovis Inc.  -Original Message- 
   From: Mr Clark [mailto:[EMAIL PROTECTED]] 
   Sent: Monday, July 07, 2003 9:36 AM  To: 
  [EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon times 
   Custom messagesGreetings 
  all.  I'm new to the list and very new to AD.  
   I have successfully set up my server for our LAN. DNS functions 
   correctly (so far, no error messages), etc.   The 
  question I would like to start off with first is this:  
   Under Active Directory, you can specify Logon times for a user. 
What I would like to know is this:  Can you 
  customize the message that comes up when a user tries to logon 
   during the prohibited time?   I haven't seen this 
  listed in the MSKB, and I didn't turn up anything  via 
  google.TIA   
  Charlie  List info : http://www.activedir.org/mail_list.htm 
   List FAQ : http://www.activedir.org/list_faq.htm 
   List archive:  http://www.mail-archive.com/activedir% 
  40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm 
  List FAQ : http://www.activedir.org/list_faq.htm 
  List archive: http://www.mail-archive.com/activedir% 
  40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList 
  FAQ : http://www.activedir.org/list_faq.htmList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD, Logon times Custom messages

[Mr Clark]

Title: Message









And what, exactly would be StIck?



How would ISA server, or a web filter program change/customize the
logon message?


Thanks.



-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad
Sent: Tuesday, July 08, 2003 06:43
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD, Logon
times  Custom messages





The
right tool for this job might just be the StIcK(tm) ;)











Roger





--

Roger D. Seielstad - MTS MCSE MS-MVP 
Sr. Systems Administrator 
Inovis Inc. 





-Original
Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 1:20
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD, Logon
times  Custom messages





The
right tool for the right job. I do not think the place you are looking at is
the right place for this job. May I suggest ISA server, or similar web filter
programs.

HTH























Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon

















From: [EMAIL PROTECTED]
on behalf of Roger Seielstad
Sent: Mon 7/7/2003 8:59 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD, Logon
times  Custom messages





The reject should be logged automatically, but I
haven't checked for sure

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Mr Clark [mailto:[EMAIL PROTECTED]]
 Sent: Monday, July 07, 2003 10:52 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] AD, Logon times  Custom messages


 Well, I just wanted to customize the message for my kids when they try
 to *sneak* on the computer during the middle of the night. :)

 As another thought, is there a way to log when someone tries
to sign
 on at a restricted time?

 Charlie

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]]
On Behalf Of
 Roger Seielstad
 Sent: Monday, July 07, 2003 09:43
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] AD, Logon times  Custom messages

 Best guess is that you cannot modify the message.

 As is pretty much standard for that type of message in Microsoft
 products,
 its coded into a DLL, and the only supportable way to do that would be
 to
 engage Microsoft Consulting Services to modify the DLL.

 However, since I believe that's part of the LSASS process on
 the client,
 and
 that gets patched somewhat regularly by service packs, etc, you'd have
 to
 reenage them for every new service pack. IMO, its not worth it.

 What are you trying to accomplish?

 --
 Roger D. Seielstad - MTS MCSE MS-MVP
 Sr. Systems Administrator
 Inovis Inc.


  -Original Message-
  From: Mr Clark [mailto:[EMAIL PROTECTED]]
  Sent: Monday, July 07, 2003 9:36 AM
  To: [EMAIL PROTECTED]
  Subject: [ActiveDir] AD, Logon times  Custom messages
 
 
  Greetings all.
  I'm new to the list and very new to AD.
 
  I have successfully set up my server for our LAN. DNS functions
  correctly (so far, no error messages), etc.
 
  The question I would like to start off with first is this:
 
  Under Active Directory, you can specify Logon times for a user.
 
  What I would like to know is this:
  Can you customize the message that comes up when a user
 tries to logon
  during the prohibited time?
 
  I haven't seen this listed in the MSKB, and I didn't turn
 up anything
  via google.
 
 
  TIA
 
  Charlie
  List info : http://www.activedir.org/mail_list.htm
  List FAQ : http://www.activedir.org/list_faq.htm
  List archive:
  http://www.mail-archive.com/activedir%
40mail.activedir.org/

 List info : http://www.activedir.org/mail_list.htm
 List FAQ : http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%
40mail.activedir.org/

List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Taking DC Offline

[GRILLENMEIER,GUIDO (HP-Germany,ex1)]

Title: Message



nice 
tool Joe, but you should add a time filter. In an attack-scenario (be it 
hacker or auditors), you don't necessarily want to unlock all the locked 
accounts you find - instead you want to unlock the ones that were locked after a 
specific time (this is the approach I took - using a UI you select the users you 
wish to unlock). However, unlocking all is better than unlocking 
none.

/Guido



From: Joe [mailto:[EMAIL PROTECTED] 
Sent: Montag, 7. Juli 2003 21:26To: 
[EMAIL PROTECTED]

Check out unlock at www.joeware.net. Its free, its fast. Will 
display locked accounts or unlock them. Saves you the scripting time... Plus it 
runs faster than any script I have seen. 

:o)

As for 
those folks doing the testing, if it isn't security running those password check 
tools, it is hacking. Treat the admins accordingly. 

 
joe

  
  -Original Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: 
  Monday, July 07, 2003 9:41 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC 
  Offline
  In a 
  way you should be happy they asked you, before just running a password 
  guessing tool against the domain... Ofcourse that won't necessarily be 
  destructive - unless you have configured Account Lockout for X nr. of logons, 
  which I always consult my customers to do. 
  
  But 
  if your AD domain spans multiple countries/locations or simply a large 
  population of users (which might previously have been separate NT domains) - 
  you're suddenly very vulnerable afterall... I've seen auditors from one 
  location run their magic tools unanounced to any admin against the AD domain 
  spanning the United States - voila, just like an attack from a hacker, that 
  domain was quickly seizing to work for any user with logins and eMail etc. 
  failing all over the place (thankfully admin accounts were hidden in AD and 
  thus not known to the tool used by the auditors)
  
  Wasn't hard to find the issue and yell at the folks - but try to 
  quickly revert the status of many hundreds of locked out users... So now 
  we're prepared for these situations via a scripting solution - I would suggest 
  everyone to prepare something for their own environment as well. Nothing like 
  being caught off guard.
  
  /Guido
  
  
  
  From: Simpsen, Paul A. (HSC) 
  [mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 
  03:25To: [EMAIL PROTECTED]
  
  
  The whole purpose of 
  this is all political. It has already been decided to enable password 
  complexity but to help make the campus more agreeable ( 
  we are an edu!) our Security director wants 
  to shoot them some stats. The % of PWs that they 
  could crack, etc Why this is good for you, you know the deal. Im still 
  hoping my boss will see the light and just say no! J
  Thanks for all the 
  responses, there might be some other options.
  Paul
  
  
  -Original 
  Message-From: Rick 
  Kingslan [mailto:[EMAIL PROTECTED]] Sent: Friday, July 04, 
  2003 4:51 
  PMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC 
  Offline
  
  Paul,
  
  I'm 
  somewhat mystified by the request. I might be completely missing the 
  point, but unless the scan is going to be destructive, what is the value of 
  giving the Security Director a DC that has been taken off-line? I do 
  agree with what others have said here to this point (remove connection 
  objects, clean up the objects from the DIT via NTDSUTIL, etc.), but the value 
  of the work that is being done is still questionable. The DC is no 
  longer in your environment, which from the standpoint of testing the security 
  or the password complexity, makes it no longer a viable environment to do 
  such.
  
  And, if 
  the process is going to be destructive, is this something that they will want 
  to do on a quarterly basis (again with questionable value in the security 
  realm)? Also, do your Security Analysts already have Administrative 
  context access? If not, all passwords of this type should be nulled 
  out. Even if they do - those that are not theirs should be erased as 
  well.
  
  Rick 
  Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
  DirectoryAssociate ExpertExpert Zone - 
  www.microsoft.com/windowsxp/expertzone 
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Simpsen, Paul A. 
  (HSC)Sent: 
  Thursday, July 03, 
  2003 4:32 
  PMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Taking DC 
  Offline
  Our Security Director has 
  requested that we build a temporary DC for his group. They want to take it 
  offline and audit the current password complexity and strength. This DC will 
  never return to the domain so I will have to manually remove the replication 
  connections in the NTDS settings for each repl partner, plus the DNS records 
  created. Im just wondering if Im missing something obvious and that this 
  might not be such a good idea. Possibility of 

RE: [ActiveDir] Taking DC Offline

[Steve Rochford]

Title: Message



I know 
that your program is far better than any script but an unlock script is easy to 
do and might give a starting point to people wanting to write scripts.What 
I've done before is:

net 
user  users.txt

Load 
the users.txt file into Excel and remove the header/footer. Make the 3 columns 
one longer column of users.
Now 
add a formula in (say) B1 which does ="net user "  a1  
"/active:yes"
fill 
this down, copy it to notepad and save it as a .cmd file

It's 
hardly elegant but it's easy to create and might get people thinking about other 
things which can be done easily with a batch file :-)

Steve

  
  -Original Message-From: Joe 
  [mailto:[EMAIL PROTECTED] Sent: 07 July 2003 
  20:26To: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Taking DC Offline
  Check out unlock at www.joeware.net. Its free, its fast. Will 
  display locked accounts or unlock them. Saves you the scripting time... Plus 
  it runs faster than any script I have seen. 
  
  :o)
  
  

RE: [ActiveDir] AD, Logon times Custom messages

[Roger Seielstad]

Title: Message



The 
StIcK(tm) is a wonderful tool for addressing those issues which aren't quite 
technological in nature. Its generally applied, somewhat liberally, by a trained 
professional.

Roger
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 


  
  -Original Message-From: Mr Clark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  
  And what, exactly would be StIck?
  
  How would ISA server, or a web filter program 
  change/customize the logon message?
  Thanks.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Roger 
  SeielstadSent: Tuesday, July 
  08, 2003 06:43To: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times 
   Custom messages
  
  
  The 
  right tool for this job might just be the StIcK(tm) 
  ;)
  
  
  
  Roger
  
  -- 
  Roger D. Seielstad - 
  MTS MCSE MS-MVP Sr. Systems 
  Administrator Inovis 
  Inc. 
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages


The 
right tool for the right job. I do not think the place you are looking at is 
the right place for this job. May I suggest ISA server, or similar web 
filter programs.HTH







Sincerely,Dj Akmlf, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is 
the Tomorrow you were worried about Yesterday? 
-anon





From: 
[EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages

The reject should be logged automatically, but I 
haven't checked for 
sure--Roger 
D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis 
Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] 
Sent: Monday, July 07, 2003 10:52 AM To: 
[EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages Well, I just wanted to 
customize the message for my kids when they try to *sneak* on the 
computer during the middle of the night. :) As another 
thought, is there a way to "log" when someone tries to sign on at a 
restricted time? Charlie -Original 
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 
09:43 To: '[EMAIL PROTECTED]' Subject: RE: 
[ActiveDir] AD, Logon times  Custom messages Best guess 
is that you cannot modify the message. As is pretty much 
standard for that type of message in Microsoft products, its 
coded into a DLL, and the only supportable way to do that would be 
to engage Microsoft Consulting Services to modify the 
DLL. However, since I believe that's part of the LSASS 
process on the client, and that gets patched 
somewhat regularly by service packs, etc, you'd have to 
reenage them for every new service pack. IMO, its not worth 
it. What are you trying to accomplish? 
-- Roger 
D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis Inc.  -Original Message- 
 From: Mr Clark [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, July 07, 2003 9:36 AM  To: 
[EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon 
times  Custom messagesGreetings 
all.  I'm new to the list and very new to AD. 
  I have successfully set up my server for our LAN. DNS 
functions  correctly (so far, no error messages), etc. 
  The question I would like to start off with first is 
this:   Under Active Directory, you can specify 
Logon times for a user.   What I would like to know 
is this:  Can you customize the message that comes up when a 
user tries to logon  during the prohibited time? 
  I haven't seen this listed in the MSKB, and I didn't 
turn up anything  via google.  
  TIA   Charlie  List 
info : http://www.activedir.org/mail_list.htm 
 List FAQ : http://www.activedir.org/list_faq.htm 
 List archive:  http://www.mail-archive.com/activedir% 
40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm 
List FAQ : http://www.activedir.org/list_faq.htm 
List archive: http://www.mail-archive.com/activedir% 
40mail.activedir.org/List info : http://www.activedir.org/mail_list.htmList 
FAQ : http://www.activedir.org/list_faq.htmList 
archive: 

Re: [ActiveDir] AD, Logon times Custom messages

[jim . katoe]

Title: Message



My father must have had a PhD in StIcK(tm).--Sent from my BlackBerry Wireless Handheld - Original Message - From: ActiveDir-owner Sent: 07/08/2003 08:55 AM To: '[EMAIL PROTECTED]' [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon times  Custom messages
The
StIcK(tm) is a wonderful tool for addressing those issues which aren't quite
technological in nature. Its generally applied, somewhat liberally, by a trained
professional.

Roger
--
Roger D. Seielstad -
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.


  
  -Original Message-From: Mr Clark
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47
  AMTo: [EMAIL PROTECTED]Subject: RE:
  [ActiveDir] AD, Logon times  Custom messages
  
  And what, exactly would be StIck?
  
  How would ISA server, or a web filter program
  change/customize the logon message?
  Thanks.
  
  -Original
  Message-From:
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
  On Behalf Of Roger
  SeielstadSent: Tuesday, July
  08, 2003 06:43To:
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon times
   Custom messages
  
  
  The
  right tool for this job might just be the StIcK(tm)
  ;)
  
  
  
  Roger
  
  --
  Roger D. Seielstad -
  MTS MCSE MS-MVP Sr. Systems
  Administrator Inovis
  Inc. 
  
-Original
Message-From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20
AMTo:
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon
times  Custom messages


The
right tool for the right job. I do not think the place you are looking at is
the right place for this job. May I suggest ISA server, or similar web
filter programs.HTH







Sincerely,Dj Akmlf,
MCSE MCSA
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today is
the Tomorrow you were worried about Yesterday?
-anon





From:
[EMAIL PROTECTED] on behalf of Roger SeielstadSent: Mon 7/7/2003 8:59 AMTo:
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon
times  Custom messages

The reject should be logged automatically, but I
haven't checked for
sure--Roger
D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis
Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]]
Sent: Monday, July 07, 2003 10:52 AM To:
[EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon
times  Custom messages Well, I just wanted to
customize the message for my kids when they try to *sneak* on the
computer during the middle of the night. :) As another
thought, is there a way to "log" when someone tries to sign on at a
restricted time? Charlie -Original
Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003
09:43 To: '[EMAIL PROTECTED]' Subject: RE:
[ActiveDir] AD, Logon times  Custom messages Best guess
is that you cannot modify the message. As is pretty much
standard for that type of message in Microsoft products, its
coded into a DLL, and the only supportable way to do that would be
to engage Microsoft Consulting Services to modify the
DLL. However, since I believe that's part of the LSASS
process on the client, and that gets patched
somewhat regularly by service packs, etc, you'd have to
reenage them for every new service pack. IMO, its not worth
it. What are you trying to accomplish?
-- Roger
D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator
Inovis Inc.  -Original Message-
 From: Mr Clark [mailto:[EMAIL PROTECTED]]
 Sent: Monday, July 07, 2003 9:36 AM  To:
[EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon
times  Custom messagesGreetings
all.  I'm new to the list and very new to AD.
  I have successfully set up my server for our LAN. DNS
functions  correctly (so far, no error messages), etc.
  The question I would like to start off with first is
this:   Under Active Directory, you can specify
Logon times for a user.   What I would like to know
is this:  Can you customize the message that comes up when a
user tries to logon  during the prohibited time?
  I haven't seen this listed in the MSKB, and I didn't
turn up anything  via google. 
  TIA   Charlie  List
info : http://www.activedir.org/mail_list.htm
 List FAQ : http://www.activedir.org/list_faq.htm
 List archive:  http://www.mail-archive.com/activedir%
40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: 

RE: [ActiveDir] Identity Management using AD

[Myrick, Todd (NIH/CIT)]

Title: Message



We are 
in the process of evaluating MIIS here, and AD is currently our source for 
authentication information, for Enterprise application, we are using a custom 
database running on Critical Path to sync with other application directories, 
and get a metaview of the information for identity management. Currently 
no one allows the metaview write access anywhere.

I hope 
our testing and subsequent deployment will allow for a more standardized 
approach like what was described below.

To 
build on what Gil wrote, The reason why SQL server was used to store 
identity information, was probably because it was a metaview of all the relevant 
data needed to construct an employee including privacy information. Active 
Directory doesn't need access to privacy information (SSN#, DOB, etc) nor do 
many LDAP applications. The nice thing about MIIS, is that it can create 
that metaview for you and store it in a SQL server. So if your privacy 
information is only stored in the HR system, and Payroll, Then you can set ACL's 
on the info so only those systems get that info.

If you 
are getting into directories for both network access and Enterprise Resource and 
Application use, I suggest subscribing to the Burton Group papers on Enterprise 
directory, and constructing your architecture based on some of their 
principals. Now if we could only find a group willing to figure out the 
Laws of directories we would be golden... Maybe Murphy is already doing 
them.

Todd

  
  -Original Message-From: Gil Kirkpatrick 
  [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 5:30 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Identity Management using AD
  MSFT 
  internally uses SQL Server as the authoritative store for identity 
  information, and populates AD from that.
  

-Original Message-From: Glenn Corbett 
[mailto:[EMAIL PROTECTED] Sent: Thursday, July 03, 2003 
7:00 AMTo: [EMAIL PROTECTED]Subject: 
[ActiveDir] Identity Management using AD
All,

We are in the process of redefining our 
Internet-enabled applications with a view to a centralised customer/client 
database. There has been quite a bit of discussion regarding using AD 
as this "customer store", since AD will already be in this 
environment.

I'm a bit hesitant to recommend "vanilla" AD 
for this task, however I can see a number of benefits to this approach, as 
the support monkeys can manage the entire environment using the same tools 
they use to manage the production environment (ADUC etc).

I've been reading up on the information 
regarding MIIS (what little there is), and can see some potential for a 
configuration such as this, eg:

- Use AD to store the "core" customer 
information (user name, password, basic details)
- Use ADAM or SQL (or whatever) for each 
application to store application specific extensions (so I don't end up with 
a blown out schema in AD with thousands of additional props for user 
objects)
- Use MIIS as the Authentication / Identity 
management front end, and use it to sync these disparate databases to ensure 
some semblance of "sameness" between them.
- Also use some of the MIIS features such as 
provisioning etc to ease the management overhead.

Applications could use AD to authenticate the 
customer coming in, and then use their ADAM database to house the 
application specific information they need.

We could possibly then use MIIS to 
"backchannel" into the production AD system, so that corporate users can 
gain access to these Internet applications without requiring multiple 
accounts.

This is all just brainstorming at the moment, 
however (as usual), I need to come up with some sort of design by next week 
(gotta love being given lots of time *grin*). Having not actually got 
my hands on MIIS, this could be completely unfeasible. Other options 
are a custom database for the "customer store", or some other existing 
product.

Has anyone been down this road before, and 
could share some insights / resources ?

Thanks

Glenn

RE: [ActiveDir] AD DOS vulnerability

[Myrick, Todd (NIH/CIT)]

Excellent info!

Keep this stuff coming.

I also use the GPO to enforce group memberships as well as some registry
tips.  I plan to write a story on my Blog soon that talks about this
information.  I will send you the URL when the blog starts to take shape.


Todd

-Original Message-
From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 07, 2003 7:11 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD DOS vulnerability


Rick-
Glad to help! One thing I've played around with on this is some low-tech
methods for slowing down potential exploits of this. For example, I've used
Services security in Group Policy to disable the Scheduler service on all
DCs and then permissioned it so that only Enterprise Admins could start it
up. I've also set up a loopback policy on all DCs that used Admin. Template
settings to prevent anyone except Enterprise Admins from loading the
ADSIEdit  Schema Manager MMC snap-ins on a DC. You could probably do even
more with software restriction policy here. 

This by no means prevents the issue and the extra crafty admin can
probably find ways around it, but it slows down the most obvious routes of
exploitation, which is worth something :-)



-Original Message-
From: Rick Kingslan [mailto:[EMAIL PROTECTED] 
Sent: Monday, July 07, 2003 3:08 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD DOS vulnerability


Darren,

Thanks for providing the clarity.  No intent to be 'stealthy' about the
vulnerability, but - frankly, I couldn't think of the proper words at the
moment.

Rick Kingslan  MCSE, MCSA, MCT
Microsoft MVP - Active Directory
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
  

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Darren Mar-Elia
Sent: Monday, July 07, 2003 1:37 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] AD DOS vulnerability

I think this refers to the issue recently identified where a member of the
Domain Admins group, with access to a domain controller within a domain in
the forest, could, for example, start a process within the security context
of LocalSystem (e.g. using the AT scheduler), and thus gain privileged
access to the schema and configuration naming contexts that they weren't
granted explicitly. 

-Original Message-
From: Roger Seielstad [mailto:[EMAIL PROTECTED]
Sent: Monday, July 07, 2003 6:25 AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] AD DOS vulnerability


Could you expand on what the specific vulnerability is there? I've not heard
that terminology before.

--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Rick Kingslan [mailto:[EMAIL PROTECTED]
 Sent: Friday, July 04, 2003 5:42 PM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] AD DOS vulnerability
 
 
 Joe,
 
 Unfortunately, one of the biggest issues with AD can't be addressed
 with an upgrade, and that's the Security vulnerability from
 cross-domain admins.
 Looking to NetPro's monitoring tool to aid in this as a 
 'burglar alarm'.
 
 Rick Kingslan  MCSE, MCSA, MCT
 Microsoft MVP - Active Directory
 Associate Expert
 Expert Zone - www.microsoft.com/windowsxp/expertzone
   
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Joe
 Sent: Friday, July 04, 2003 10:21 AM
 To: [EMAIL PROTECTED]
 Subject: RE: [ActiveDir] AD DOS vulnerability
 
 Also note that there is another D.O.S. capable bug that SP4 fixes if I

 recall correctly. It was something with referrals.
 
 Note that there are several things that can be done to W2K AD by a
 bright programmer with internal access who has had a chance to sit
 back and think
 about it that can hurt AD. Some only require having an 
 account in AD, some
 requiring a machine account. Won't give details here or 
 anywhere due to
 social conscience and not willing to expose shit that could hurt me
 personally but they are there... Move to W2K3 when you can as 
 that may help
 based on some of the newer docs I have seen. 
 
 I agree with what everyone else has said on SP4... Test test test,
 then deploy. When you do have an issue, post back here or in the
 newsgroups so
 others can learn of the experience. Even if you call MS and 
 they say, nope,
 no one is having that issue. I have found that they know of 
 things but won't
 come fully forward with them until some minimum number of 
 customers/people
 have complained. 
 
 
 
 
 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd
 (NIH/CIT)
 Sent: Thursday, July 03, 2003 10:04 AM
 To: '[EMAIL PROTECTED]'
 Subject: RE: [ActiveDir] AD DOS vulnerability
 
 
 Thanks Everyone for the great information. We have already begun
 patching the systems as a result of the information from the list.
 
 Todd Myrick
 
 -Original Message-
 From: Robert Moir [mailto:[EMAIL PROTECTED]
 Sent: 

RE: [ActiveDir] AD, Logon times Custom messages

[Puckett, Richard]

Well, a couple of solutions exist here:

1. You can set a generic notification at logon time
   Start-Programs-Administrative Tools-Local Security Policy-Local
Policies-Security Options- Message Text/Title for Users Attempting to
Logon
   
   You could say something menacing like I know what you're doing, so don't
even try it... :-)

2. Enable auditing for the success  failure of logon events.
   Start-Programs-Administrative Tools-Local Security Policy-Local
Policies-Audit Policy-Audit Logon/Account Logon Events

   This will enable the generation of event entries in the security event
log, events like:
   - 530 (Failure Audit) Account logon time restriction violation

   - 529 (Failure Audit) Unknown user name or bad password  
   - 537 (Failure Audit) An error occurred during logon

3. You can easily retrieve these events either by manual perusal of the
event logs (a tedious job), or with freeware tools like Mark Russinovich's
PSLogList http://www.sysinternals.com/ntw2k/freeware/psloglist.shtml, or
with a bit of VBS: 


strComputer = .
Set objWMIService = GetObject(winmgmts:{impersonationLevel=impersonate}!\\
 strComputer  \root\cimv2)
objWMIService.Security_.Privileges.AddAsString SeSecurityPrivilege
Set colLoggedEvents = objWMIService.ExecQuery (SELECT * FROM
Win32_NTLogEvent WHERE Logfile='Security' AND EventCode='530')

For Each objEvent in colLoggedEvents
Wscript.Echo  Category:   objEvent.Category
Wscript.Echo Computer Name:   objEvent.ComputerName
Wscript.EchoEvent Code:   objEvent.EventCode
Wscript.Echo   Message:   objEvent.Message
Wscript.Echo Record Number:   objEvent.RecordNumber
Wscript.Echo   Source Name:   objEvent.SourceName
Wscript.Echo  Time Written:   objEvent.TimeWritten
Wscript.EchoEvent Type:   objEvent.Type
Wscript.Echo  User:   objEvent.User
Next

If you're *really* paranoid, you can register a temporary event consumer
using WMI to keep a sleeper thread active to the Security event log, and
have it e-mail (or page) you in the event it encounters restricted logon
activity.  If you'd like to initiate a less passive course of action, you
can actually have the system shut itself down each time it encounters this
(again, using WMI).  There's plenty o' data on registering consumers on
MSDN, or you can simply activate a script like the one below through a batch
file at system startup.

# developed on Windows XP
#! c:\perl\bin\perl.exe -w

use strict;
use Win32;
use Win32::OLE qw(in);
use Win32::OLE::Const 'Microsoft CDO 1.21 Library';

$Win32::OLE::Warn = 3;

my $smtpsrvr = mailserver.company.com;
my $fromaddr = [EMAIL PROTECTED];
my $recpaddr = [EMAIL PROTECTED];
my $computer = Win32::NodeName;

my $query  = SELECT * FROM __instancecreationevent ;
   $query .= WHERE targetinstance ISA 'Win32_NTLogEvent' ;
   $query .= AND targetinstance.Logfile='Security' ;
   $query .= AND targetinstance.EventCode='552';

my $events =
Win32::OLE-GetObject(WinMgmts:{impersonationLevel=impersonate,(security)}
)-
 ExecNotificationQuery($query) || die
Win32::OLE-LastError;

print Polling for new Security Events...\n;

while (my $event = $events-NextEvent) {
print - x 75; 
print \n;

my $evtid = $event-TargetInstance-{EventCode};
printEventCode: .$evtid.\n;
print Category: .$event-TargetInstance-{Category}.\n;
print   CategoryString:
.$event-TargetInstance-{CategoryString}.\n;
print ComputerName:
.$event-TargetInstance-{ComputerName}.\n;
#print Data: .$event-TargetInstance-{Data}.\n;
print  EventIdentifier:
.$event-TargetInstance-{EventIdentifier}.\n;
print InsertionStrings:
.$event-TargetInstance-{InsertionStrings}.\n;
print  Logfile: .$event-TargetInstance-{Logfile}.\n;
print RecordNumber:
.$event-TargetInstance-{RecordNumber}.\n;
print   SourceName:
.$event-TargetInstance-{SourceName}.\n;
printTimeGenerated:
.$event-TargetInstance-{TimeGenerated}.\n;
print  TimeWritten:
.$event-TargetInstance-{TimeWritten}.\n;
print Type: .$event-TargetInstance-{Type}.\n;
print User: .$event-TargetInstance-{User}.\n;
#print  Message: .$event-TargetInstance-{Message}.\n;

print - x 75; 
print \n;

# Send off an e-mail about the captured event...
my $time = scalar(localtime());
e_mail ($smtpsrvr, 
$fromaddr, 
$recpaddr, 
Event $evtid was generated on $computer on
$time, 
$event-TargetInstance-{Message});

print Polling for new Security Events...\n;

}

#---

sub e_mail {

RE: [ActiveDir] AD, Logon times Custom messages

[Myrick, Todd (NIH/CIT)]

Title: Message



I 
ordered 10 StIcK's (tm) and they work great. I name my StIck's for the 
special purposes they serve. The best thing is one size fits 
all!

Toddler

  
  -Original Message-From: Roger Seielstad 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
  8:56 AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  The 
  StIcK(tm) is a wonderful tool for addressing those issues which aren't quite 
  technological in nature. Its generally applied, somewhat liberally, by a 
  trained professional.
  
  Roger
  -- 
  Roger D. Seielstad 
  - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 
  
  

-Original Message-From: Mr Clark 
[mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 7:47 
AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] AD, Logon times  Custom messages

And what, exactly would be StIck?

How would ISA server, or a web filter program 
change/customize the logon message?
Thanks.

-Original 
Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Roger 
SeielstadSent: Tuesday, 
July 08, 2003 06:43To: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages


The 
right tool for this job might just be the StIcK(tm) 
;)



Roger

-- 
Roger D. Seielstad 
- MTS MCSE MS-MVP Sr. 
Systems Administrator Inovis 
Inc. 

  -Original 
  Message-From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 
  AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages
  
  
  The 
  right tool for the right job. I do not think the place you are looking at 
  is the right place for this job. May I suggest ISA server, or similar web 
  filter programs.HTH
  
  
  
  
  
  
  
  Sincerely,Dèjì Akómöláfé, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that Today 
  is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  
  
  
  From: 
  [EMAIL PROTECTED] on behalf of Roger 
  SeielstadSent: Mon 
  7/7/2003 8:59 AMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages
  
  The reject should be logged automatically, but I 
  haven't checked for 
  sure--Roger 
  D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis 
  Inc. -Original Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] 
  Sent: Monday, July 07, 2003 10:52 AM To: 
  [EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages Well, I just wanted to 
  customize the message for my kids when they try to *sneak* on the 
  computer during the middle of the night. :) As another 
  thought, is there a way to "log" when someone tries to sign on at 
  a restricted time? Charlie -Original 
  Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
  On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 
  09:43 To: '[EMAIL PROTECTED]' Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages Best 
  guess is that you cannot modify the message. As is pretty 
  much standard for that type of message in Microsoft 
  products, its coded into a DLL, and the only supportable way to do 
  that would be to engage Microsoft Consulting Services to 
  modify the DLL. However, since I believe that's part of 
  the LSASS process on the client, and that gets 
  patched somewhat regularly by service packs, etc, you'd have 
  to reenage them for every new service pack. IMO, its not worth 
  it. What are you trying to accomplish? 
  -- 
  Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems 
  Administrator Inovis Inc.  
  -Original Message-  From: Mr Clark [mailto:[EMAIL PROTECTED]] 
   Sent: Monday, July 07, 2003 9:36 AM  To: 
  [EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon 
  times  Custom messages
  Greetings all.  I'm new to the list and very new to 
  AD.   I have successfully set up my server for our 
  LAN. DNS functions  correctly (so far, no error messages), 
  etc.   The question I would like to start off with 
  first is this:   Under Active Directory, you can 
  specify Logon times for a user.   What I would 
  like to know is this:  Can you customize the message that 
  comes up when a user tries to logon  during the 
  prohibited time?   I haven't seen this listed in 
  

OT Re: [ActiveDir] SP4

[Brad Mccrillis]

We run application center and SP4 seems to corrupt MSSQL$MSAC. To correct it is easy 
enough, you uninstall MSDE through app center install and then re-install and re-apply 
MSDE SP2.

 [EMAIL PROTECTED] 07/07/03 03:40PM 
Anyone installed SP4 yet on their DC's?
If so, have you had any issues?
 
 
Don L. Murawski
Sr. Network Administrator
 file://C:\Documents and Settings\dmurawsk\Application
Data\Microsoft\Stationery\../../../My Documents/My Pictures/mcse.gif 
WorldTravel BTI
Phone: (404) 923-9468
Fax: (404) 949-6710
Cell: (678) 549-1264
 


--
Confidentiality Note:  This message is intended for use only by the individual or 
entity to which it is addressed and may contain information that is privileged, 
confidential, and exempt from disclosure under applicable law.  If the reader of this 
message is not the intended recipient or the employee or agent responsible for 
delivering the message to the intended recipient, you are hereby notified that any 
dissemination, distribution or copying of this communication is strictly prohibited.  
If you have received this communication in error,  please contact the sender 
immediately and destroy the material in its entirety, whether electronic or hard copy. 
 Thank you.
==

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Taking DC Offline

[Myrick, Todd (NIH/CIT)]

Title: Message



Why 
not use a tool like Aelita's In-trust http://www.aelita.com/products/InTrust.htmto 
run the scans against the production environment, I would also mention 
BV-Control, but I am mad at bindview right now and don't want to promote their 
products. (Long story). It would be less intrusive into your 
environment... also lets you get a pretty good tool, all in the name of better 
security.I would make the argument that standing 
upDC'sand taking them down is nota goodpractice 
forproductionAD'sdue to the clean-up and potentialfor 
the data to be compromised outside of the datacenter.AnActive 
Directory domain security is onlyas good as the security of the datacenter 
the DC's are hosted in and the physical DC's themselves. Standing up and 
taking down DC'sin the name of better security only complicates 
operations.Does this security director know the EA password or the 
Domain Admin passwords? If he doesn't, he will using this method. 
Also do you plan only to run only one security scan? To make security 
operations more useful, scans should be run several times a year, and data 
collected over time. Things like, when was the account last accessed, how 
many times does an account log in badly or get locked out, etc are more useful, 
then just is the password complex enough. 

Also I 
wouldn't run a password guessing tool against a domain if you have account 
lockouts enabled. Could make the helpdesk revolt.

In the 
name of politics I understand your dilemma, I just want to fuel your argument 
for not doing this all the time due to the impact on 
operations.

Power 
to the AD admins...

Toddler

  
  -Original Message-From: 
  GRILLENMEIER,GUIDO (HP-Germany,ex1) [mailto:[EMAIL PROTECTED] 
  Sent: Tuesday, July 08, 2003 8:33 AMTo: 
  [EMAIL PROTECTED]Subject: RE: [ActiveDir] Taking DC 
  Offline
  nice 
  tool Joe, but you should add a time filter. In an attack-scenario (be it 
  hacker or auditors), you don't necessarily want to unlock all the locked 
  accounts you find - instead you want to unlock the ones that were locked after 
  a specific time (this is the approach I took - using a UI you select the users 
  you wish to unlock). However, unlocking all is better than unlocking 
  none.
  
  /Guido
  
  
  
  From: Joe [mailto:[EMAIL PROTECTED] 
  Sent: Montag, 7. Juli 2003 21:26To: 
  [EMAIL PROTECTED]
  
  Check out unlock at www.joeware.net. Its free, its fast. Will 
  display locked accounts or unlock them. Saves you the scripting time... Plus 
  it runs faster than any script I have seen. 
  
  :o)
  
  As 
  for those folks doing the testing, if it isn't security running those password 
  check tools, it is hacking. Treat the admins accordingly. 
  
   joe
  

-Original Message-From: 
[EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of 
GRILLENMEIER,GUIDO (HP-Germany,ex1)Sent: Monday, July 07, 
2003 9:41 AMTo: [EMAIL PROTECTED]Subject: 
RE: [ActiveDir] Taking DC Offline
In 
a way you should be happy they asked you, before just running a password 
guessing tool against the domain... Ofcourse that won't necessarily be 
destructive - unless you have configured Account Lockout for X nr. of 
logons, which I always consult my customers to do. 

But if your AD domain spans multiple countries/locations or simply a 
large population of users (which might previously have been separate NT 
domains) - you're suddenly very vulnerable afterall... I've seen 
auditors from one location run their magic tools unanounced to any admin 
against the AD domain spanning the United States - voila, just like an 
attack from a hacker, that domain was quickly seizing to work for any user 
with logins and eMail etc. failing all over the place (thankfully admin 
accounts were hidden in AD and thus not known to the tool used by the 
auditors)

Wasn't hard to find the issue and yell at the folks - but try to 
quickly revert the status of many hundreds of locked out users... So 
now we're prepared for these situations via a scripting solution - I would 
suggest everyone to prepare something for their own environment as well. 
Nothing like being caught off guard.

/Guido



From: Simpsen, Paul A. (HSC) 
[mailto:[EMAIL PROTECTED] Sent: Montag, 7. Juli 2003 
03:25To: [EMAIL PROTECTED]


The 
whole purpose of this is all political. It has already been decided to 
enable password complexity but to help make the campus more agreeable ( we are an edu!) our Security 
director wants to shoot them some stats. The % of PW's that they could crack, etc... Why this is good for 
you, you know the deal. I'm still hoping my boss will see the light and just 
say no! J
Thanks for all the 
responses, there might be some other options.
Paul


-Original 
Message-From: Rick 
Kingslan [mailto:[EMAIL 

[ActiveDir] First AD Domain?

[Cary, Mark]

I am wondering if there is a preferred location for the first (AKA root)
domain in a AD forest given these parameters.

Company name is example and they have a Internet presence at example.com.
They have registered example.net for there AD DNS structure.  example.net
will never be resolvable in the public namespace.  

Is there any reason why one of these options is better than the other?
1) example.net
2) ad.example.net


Thanks,


The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Badger Meter, Inc. will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Identity Management using AD

[Thommes, Michael M.]

Title: Message



I've 
been told that MIIS is really just MMS 3.0 renamed. The description of the 
software would seem to indicate so. Is this true?

Mike 
Thommes
Argonne National Laboratory

  -Original Message-From: Myrick, Todd (NIH/CIT) 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Identity Management using AD
  We 
  are in the process of evaluating MIIS here, and AD is currently our source for 
  authentication information, for Enterprise application, we are using a custom 
  database running on Critical Path to sync with other application directories, 
  and get a metaview of the information for identity management. Currently 
  no one allows the metaview write access anywhere.
  
  I 
  hope our testing and subsequent deployment will allow for a more standardized 
  approach like what was described below.
  
  To 
  build on what Gil wrote, The reason why SQL server was used to store 
  identity information, was probably because it was a metaview of all the 
  relevant data needed to construct an employee including privacy 
  information. Active Directory doesn't need access to privacy information 
  (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about 
  MIIS, is that it can create that metaview for you and store it in a SQL 
  server. So if your privacy information is only stored in the HR system, 
  and Payroll, Then you can set ACL's on the info so only those systems get that 
  info.
  
  If 
  you are getting into directories for both network access and Enterprise 
  Resource and Application use, I suggest subscribing to the Burton Group papers 
  on Enterprise directory, and constructing your architecture based on some of 
  their principals. Now if we could only find a group willing to figure 
  out the Laws of directories we would be golden... Maybe Murphy is already 
  doing them.
  
  Todd
  

-Original Message-From: Gil 
Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 
5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Identity Management using AD
MSFT internally uses SQL Server as the authoritative store for 
identity information, and populates AD from that.

  
  -Original Message-From: Glenn 
  Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 
  03, 2003 7:00 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Identity 
  Management using AD
  All,
  
  We are in the process of redefining our 
  Internet-enabled applications with a view to a centralised customer/client 
  database. There has been quite a bit of discussion regarding using 
  AD as this "customer store", since AD will already be in this 
  environment.
  
  I'm a bit hesitant to recommend "vanilla" AD 
  for this task, however I can see a number of benefits to this approach, as 
  the support monkeys can manage the entire environment using the same tools 
  they use to manage the production environment (ADUC etc).
  
  I've been reading up on the information 
  regarding MIIS (what little there is), and can see some potential for a 
  configuration such as this, eg:
  
  - Use AD to store the "core" customer 
  information (user name, password, basic details)
  - Use ADAM or SQL (or whatever) for each 
  application to store application specific extensions (so I don't end up 
  with a blown out schema in AD with thousands of additional props for user 
  objects)
  - Use MIIS as the Authentication / Identity 
  management front end, and use it to sync these disparate databases to 
  ensure some semblance of "sameness" between them.
  - Also use some of the MIIS features such as 
  provisioning etc to ease the management overhead.
  
  Applications could use AD to authenticate the 
  customer coming in, and then use their ADAM database to house the 
  application specific information they need.
  
  We could possibly then use MIIS to 
  "backchannel" into the production AD system, so that corporate users can 
  gain access to these Internet applications without requiring multiple 
  accounts.
  
  This is all just brainstorming at the moment, 
  however (as usual), I need to come up with some sort of design by next 
  week (gotta love being given lots of time *grin*). Having not 
  actually got my hands on MIIS, this could be completely unfeasible. 
  Other options are a custom database for the "customer store", or some 
  other existing product.
  
  Has anyone been down this road before, and 
  could share some insights / resources ?
  
  Thanks
  
  Glenn
  
  
  

RE: [ActiveDir] First AD Domain?

[Roger Seielstad]

Shorter is better, IMO.

Now, you *could*, although I haven't tried it, do a non-contiguous forest
using a contiguous namespace. This might get a little convoluted...

In other words, it should be possible to create the root domain as
root.example.net. Once that's complete, you should be able to install the
second domain as example.net, choosing to create a new tree in an existing
forest. 

There is no theoretically reason this can't work, unless there are some
underlying, strict hierarchical issues within AD that I haven't seen before,
but I doubt its that bad.

Roger
--
Roger D. Seielstad - MTS MCSE MS-MVP
Sr. Systems Administrator
Inovis Inc.


 -Original Message-
 From: Cary, Mark [mailto:[EMAIL PROTECTED] 
 Sent: Tuesday, July 08, 2003 11:29 AM
 To: '[EMAIL PROTECTED]'
 Subject: [ActiveDir] First AD Domain?
 
 
 I am wondering if there is a preferred location for the first 
 (AKA root)
 domain in a AD forest given these parameters.
 
 Company name is example and they have a Internet presence at 
 example.com.
 They have registered example.net for there AD DNS structure.  
 example.net
 will never be resolvable in the public namespace.  
 
 Is there any reason why one of these options is better than the other?
 1) example.net
 2) ad.example.net
 
 
 Thanks,
 
 
 The information contained in this message is confidential and 
 is intended
 for the addressee(s) only.  If you have received this message 
 in error or
 there are any problems please notify the originator immediately.  The
 unauthorized use, disclosure, copying or alteration of this message is
 strictly forbidden. Badger Meter, Inc. will not be liable for direct,
 special, indirect or consequential damages arising from 
 alteration of the
 contents of this message by a third party or as a result of 
 any virus being
 passed on.
 
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir% 40mail.activedir.org/
 
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] AD, Logon times Custom messages

[Ayers, Diane]

Title: Message



I stil prefer the upgraded version, bIg stIck®

Diane

  -Original Message-From: Myrick, Todd (NIH/CIT) 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  I 
  ordered 10 StIcK's (tm) and they work great. I name my StIck's for the 
  special purposes they serve. The best thing is one size fits 
  all!
  
  Toddler
  

-Original Message-From: Roger 
Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 
08, 2003 8:56 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages
The StIcK(tm) is a wonderful tool for addressing those issues which 
aren't quite technological in nature. Its generally applied, somewhat 
liberally, by a trained professional.

Roger
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Mr Clark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
  7:47 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  
  And what, exactly would be 
StIck?
  
  How would ISA server, or a web filter program 
  change/customize the logon message?
  Thanks.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: Tuesday, 
  July 08, 2003 06:43To: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
  times  Custom messages
  
  
  The 
  right tool for this job might just be the StIcK(tm) 
  ;)
  
  
  
  Roger
  
  -- 
  Roger D. 
  Seielstad - MTS MCSE MS-MVP Sr. 
  Systems Administrator Inovis 
  Inc. 
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:20 
AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages


The right tool 
for the right job. I do not think the place you are looking at is the 
right place for this job. May I suggest ISA server, or similar web 
filter programs.HTH







Sincerely,Dèjì Akómöláfé, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that 
Today is the Tomorrow you were worried about Yesterday? 
-anon





From: 
[EMAIL PROTECTED] on behalf of Roger 
SeielstadSent: Mon 
7/7/2003 8:59 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages

The reject should be logged automatically, but I 
haven't checked for 
sure--Roger 
D. Seielstad - MTS MCSE MS-MVPSr. Systems AdministratorInovis 
Inc. -Original Message- From: Mr Clark 
[mailto:[EMAIL PROTECTED]] 
Sent: Monday, July 07, 2003 10:52 AM To: 
[EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, Logon 
times  Custom messages Well, I just wanted 
to customize the message for my kids when they try to *sneak* on 
the computer during the middle of the night. :) As 
another thought, is there a way to "log" when someone tries to 
sign on at a restricted time? 
Charlie -Original Message- From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
On Behalf Of Roger Seielstad Sent: Monday, July 07, 2003 
09:43 To: '[EMAIL PROTECTED]' Subject: RE: 
[ActiveDir] AD, Logon times  Custom messages Best 
guess is that you cannot modify the message. As is 
pretty much standard for that type of message in Microsoft 
products, its coded into a DLL, and the only supportable way to 
do that would be to engage Microsoft Consulting Services 
to modify the DLL. However, since I believe that's part 
of the LSASS process on the client, and that 
gets patched somewhat regularly by service packs, etc, you'd 
have to reenage them for every new service pack. IMO, 
its not worth it. What are you trying to 
accomplish? 
-- 
Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems 
Administrator Inovis Inc.  
-Original Message-  From: Mr Clark [mailto:[EMAIL PROTECTED]] 
 Sent: Monday, July 07, 2003 9:36 AM  To: 
[EMAIL PROTECTED]  Subject: [ActiveDir] AD, Logon 
times  

RE: [ActiveDir] Identity Management using AD

[Gil Kirkpatrick]

Title: Message



Mike,

You're 
basically correct, although the renaming of MMS is accompanied by a broader IM 
strategy incorporating other products, services, and partnerships. MSFT is going 
to spell it out at Catlyst this week (today I think). IM has become a strategic 
issue for MSFT, partly because IM provides a more sellable benefit that Active 
Directory can provide to customers. "Improved TCO" wasn't a strong enough reason 
for getting people to make the leap to AD.

-gil

  
  -Original Message-From: Thommes, Michael 
  M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 8:57 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Identity Management using AD
  I've 
  been told that MIIS is really just MMS 3.0 renamed. The description of 
  the software would seem to indicate so. Is this 
true?
  
  Mike 
  Thommes
  Argonne National Laboratory
  
-Original Message-From: Myrick, Todd (NIH/CIT) 
[mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 
AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Identity Management using AD
We 
are in the process of evaluating MIIS here, and AD is currently our source 
for authentication information, for Enterprise application, we are using a 
custom database running on Critical Path to sync with other application 
directories, and get a metaview of the information for identity 
management. Currently no one allows the metaview write access 
anywhere.

I 
hope our testing and subsequent deployment will allow for a more 
standardized approach like what was described below.

To 
build on what Gil wrote, The reason why SQL server was used to store 
identity information, was probably because it was a metaview of all the 
relevant data needed to construct an employee including privacy 
information. Active Directory doesn't need access to privacy 
information (SSN#, DOB, etc) nor do many LDAP applications. The nice 
thing about MIIS, is that it can create that metaview for you and store it 
in a SQL server. So if your privacy information is only stored in the 
HR system, and Payroll, Then you can set ACL's on the info so only those 
systems get that info.

If 
you are getting into directories for both network access and Enterprise 
Resource and Application use, I suggest subscribing to the Burton Group 
papers on Enterprise directory, and constructing your architecture based on 
some of their principals. Now if we could only find a group willing to 
figure out the Laws of directories we would be golden... Maybe Murphy is 
already doing them.

Todd

  
  -Original Message-From: Gil 
  Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 
  2003 5:30 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity 
  Management using AD
  MSFT internally uses SQL Server as the authoritative store for 
  identity information, and populates AD from that.
  

-Original Message-From: Glenn 
Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, 
July 03, 2003 7:00 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Identity 
Management using AD
All,

We are in the process of redefining our 
Internet-enabled applications with a view to a centralised 
customer/client database. There has been quite a bit of discussion 
regarding using AD as this "customer store", since AD will already be in 
this environment.

I'm a bit hesitant to recommend "vanilla" 
AD for this task, however I can see a number of benefits to this 
approach, as the support monkeys can manage the entire environment using 
the same tools they use to manage the production environment (ADUC 
etc).

I've been reading up on the information 
regarding MIIS (what little there is), and can see some potential for a 
configuration such as this, eg:

- Use AD to store the "core" customer 
information (user name, password, basic details)
- Use ADAM or SQL (or whatever) for each 
application to store application specific extensions (so I don't end up 
with a blown out schema in AD with thousands of additional props for 
user objects)
- Use MIIS as the Authentication / Identity 
management front end, and use it to sync these disparate databases to 
ensure some semblance of "sameness" between them.
- Also use some of the MIIS features such 
as provisioning etc to ease the management overhead.

Applications could use AD to authenticate 
the customer coming in, and then use their ADAM database to house the 
application specific information they need.

We could possibly then use MIIS to 

RE: [ActiveDir] Identity Management using AD

[Myrick, Todd (NIH/CIT)]

Title: Message



Yes it 
is a new Architecture product from MMicrosoft. 

The 
next question should be does it use IIS?

Todd

  
  -Original Message-From: Thommes, Michael 
  M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 11:57 
  AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] Identity Management using AD
  I've 
  been told that MIIS is really just MMS 3.0 renamed. The description of 
  the software would seem to indicate so. Is this 
true?
  
  Mike 
  Thommes
  Argonne National Laboratory
  
-Original Message-From: Myrick, Todd (NIH/CIT) 
[mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 
AMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Identity Management using AD
We 
are in the process of evaluating MIIS here, and AD is currently our source 
for authentication information, for Enterprise application, we are using a 
custom database running on Critical Path to sync with other application 
directories, and get a metaview of the information for identity 
management. Currently no one allows the metaview write access 
anywhere.

I 
hope our testing and subsequent deployment will allow for a more 
standardized approach like what was described below.

To 
build on what Gil wrote, The reason why SQL server was used to store 
identity information, was probably because it was a metaview of all the 
relevant data needed to construct an employee including privacy 
information. Active Directory doesn't need access to privacy 
information (SSN#, DOB, etc) nor do many LDAP applications. The nice 
thing about MIIS, is that it can create that metaview for you and store it 
in a SQL server. So if your privacy information is only stored in the 
HR system, and Payroll, Then you can set ACL's on the info so only those 
systems get that info.

If 
you are getting into directories for both network access and Enterprise 
Resource and Application use, I suggest subscribing to the Burton Group 
papers on Enterprise directory, and constructing your architecture based on 
some of their principals. Now if we could only find a group willing to 
figure out the Laws of directories we would be golden... Maybe Murphy is 
already doing them.

Todd

  
  -Original Message-From: Gil 
  Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 
  2003 5:30 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity 
  Management using AD
  MSFT internally uses SQL Server as the authoritative store for 
  identity information, and populates AD from that.
  

-Original Message-From: Glenn 
Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, 
July 03, 2003 7:00 AMTo: 
[EMAIL PROTECTED]Subject: [ActiveDir] Identity 
Management using AD
All,

We are in the process of redefining our 
Internet-enabled applications with a view to a centralised 
customer/client database. There has been quite a bit of discussion 
regarding using AD as this "customer store", since AD will already be in 
this environment.

I'm a bit hesitant to recommend "vanilla" 
AD for this task, however I can see a number of benefits to this 
approach, as the support monkeys can manage the entire environment using 
the same tools they use to manage the production environment (ADUC 
etc).

I've been reading up on the information 
regarding MIIS (what little there is), and can see some potential for a 
configuration such as this, eg:

- Use AD to store the "core" customer 
information (user name, password, basic details)
- Use ADAM or SQL (or whatever) for each 
application to store application specific extensions (so I don't end up 
with a blown out schema in AD with thousands of additional props for 
user objects)
- Use MIIS as the Authentication / Identity 
management front end, and use it to sync these disparate databases to 
ensure some semblance of "sameness" between them.
- Also use some of the MIIS features such 
as provisioning etc to ease the management overhead.

Applications could use AD to authenticate 
the customer coming in, and then use their ADAM database to house the 
application specific information they need.

We could possibly then use MIIS to 
"backchannel" into the production AD system, so that corporate users can 
gain access to these Internet applications without requiring multiple 
accounts.

This is all just brainstorming at the 
moment, however (as usual), I need to come up with some sort of design 
by next week (gotta love being 

RE: [ActiveDir] Identity Management using AD

[Duncan, Larry]

Title: Message









According to the Technical Overview
of Microsoft Identity Integration Server 2003 whitepaper, MIIS 2003 is
the third major release of Microsoft's metadirectory product. This would mean
that, yes; MIIS is indeed the next version of the MMS product. 



http://www.microsoft.com/windowsserver2003/techinfo/overview/miis.mspx





-Original Message-
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 12:02
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Identity
Management using AD





Yes it is a new
Architecture product from MMicrosoft. 











The next question should
be does it use IIS?











Todd





-Original
Message-
From: Thommes, Michael M.
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 11:57
AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Identity
Management using AD



I've been told that MIIS
is really just MMS 3.0 renamed. The description of the software would
seem to indicate so. Is this true?











Mike Thommes





Argonne National
Laboratory





-Original
Message-
From: Myrick, Todd (NIH/CIT)
[mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 9:12
AM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Identity
Management using AD



We are in the process of
evaluating MIIS here, and AD is currently our source for authentication
information, for Enterprise application, we are using a custom database running
on Critical Path to sync with other application directories, and get a metaview
of the information for identity management. Currently no one allows the
metaview write access anywhere.











I hope our testing and
subsequent deployment will allow for a more standardized approach like what was
described below.











To build on what Gil
wrote, The reason why SQL server was used to store identity information,
was probably because it was a metaview of all the relevant data needed to
construct an employee including privacy information. Active Directory
doesn't need access to privacy information (SSN#, DOB, etc) nor do many LDAP
applications. The nice thing about MIIS, is that it can create that
metaview for you and store it in a SQL server. So if your privacy
information is only stored in the HR system, and Payroll, Then you can set
ACL's on the info so only those systems get that info.











If you are getting into
directories for both network access and Enterprise Resource and Application
use, I suggest subscribing to the Burton Group papers on Enterprise directory,
and constructing your architecture based on some of their principals. Now
if we could only find a group willing to figure out the Laws of directories we
would be golden... Maybe Murphy is already doing them.











Todd





-Original
Message-
From: Gil Kirkpatrick
[mailto:[EMAIL PROTECTED] 
Sent: Monday, July 07, 2003 5:30
PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] Identity
Management using AD



MSFT internally uses SQL
Server as the authoritative store for identity information, and populates AD
from that.





-Original
Message-
From: Glenn Corbett
[mailto:[EMAIL PROTECTED] 
Sent: Thursday, July 03, 2003 7:00
AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Identity
Management using AD



All,











We are in the process of redefining
our Internet-enabled applications with a view to a centralised customer/client
database. There has been quite a bit of discussion regarding using AD as
this customer store, since AD will already be in this environment.











I'm a bit hesitant to recommend
vanilla AD for this task, however I can see a number of benefits to
this approach, as the support monkeys can manage the entire environment using
the same tools they use to manage the production environment (ADUC etc).











I've been reading up on the
information regarding MIIS (what little there is), and can see some potential
for a configuration such as this, eg:











- Use AD to store the
core customer information (user name, password, basic details)





- Use ADAM or SQL (or whatever) for
each application to store application specific extensions (so I don't end up with
a blown out schema in AD with thousands of additional props for user objects)





- Use MIIS as the Authentication /
Identity management front end, and use it to sync these disparate databases to
ensure some semblance of sameness between them.





- Also use some of the MIIS features
such as provisioning etc to ease the management overhead.











Applications could use AD to
authenticate the customer coming in, and then use their ADAM database to house
the application specific information they need.











We could possibly then use MIIS to
backchannel into the production AD system, so that corporate users
can gain access to these Internet applications without requiring multiple
accounts.











This is all just brainstorming at
the moment, however (as usual), I need to come up with some 

RE: [ActiveDir] AD, Logon times Custom messages

[Roger Seielstad]

Title: Message



You've apparently never met the pimp^H^H^H^H salesman of the StIcK, have 
you?


-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: Gil Kirkpatrick 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 12:47 
  PMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  I've 
  always usedthe freeware predecessor to StIcK called KicK. Its not quite 
  as fancy, but it requires no additional hardware.
  
  -gil
  
  
  -Original Message-From: 
  Ayers, Diane [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
  7:51 AMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  
I stil prefer the upgraded version, bIg stIck

Diane

  -Original Message-From: Myrick, Todd (NIH/CIT) 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 7:37 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] AD, Logon times  Custom messages
  I ordered 10 StIcK's (tm) and they work great. I name my 
  StIck's for the special purposes they serve. The best thing is one 
  size fits all!
  
  Toddler
  

-Original Message-From: Roger 
Seielstad [mailto:[EMAIL PROTECTED] Sent: Tuesday, 
July 08, 2003 8:56 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, 
Logon times  Custom messages
The StIcK(tm) is a wonderful tool for addressing those issues 
which aren't quite technological in nature. Its generally applied, 
somewhat liberally, by a trained professional.

Roger
-- 
Roger D. 
Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator 
Inovis 
Inc. 

  
  -Original Message-From: Mr Clark 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
  7:47 AMTo: [EMAIL PROTECTED]Subject: 
  RE: [ActiveDir] AD, Logon times  Custom 
  messages
  
  And what, exactly would be 
  StIck?
  
  How would ISA server, or a web filter program 
  change/customize the logon message?
  Thanks.
  
  -Original 
  Message-From: 
  [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Roger 
  SeielstadSent: 
  Tuesday, July 08, 2003 06:43To: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, 
  Logon times  Custom messages
  
  
  The right 
  tool for this job might just be the StIcK(tm) 
  ;)
  
  
  
  Roger
  
  -- 
  Roger D. 
  Seielstad - MTS MCSE MS-MVP Sr. Systems 
  Administrator Inovis 
  Inc. 
  
-Original 
Message-From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
1:20 AMTo: 
[EMAIL PROTECTED]Subject: RE: [ActiveDir] AD, 
Logon times  Custom messages


The right 
tool for the right job. I do not think the place you are looking at 
is the right place for this job. May I suggest ISA server, or 
similar web filter programs.HTH







Sincerely,Dj Akmlf, 
MCSE MCSA 
MCP+Iwww.akomolafe.comwww.iyaburo.comDo you now realize that 
Today is the Tomorrow you were worried about Yesterday? 
-anon





From: 
[EMAIL PROTECTED] on behalf of Roger 
SeielstadSent: Mon 
7/7/2003 8:59 AMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] AD, 
Logon times  Custom messages

The reject should be logged 
automatically, but I haven't checked for 
sure--Roger 
D. Seielstad - MTS MCSE MS-MVPSr. Systems 
AdministratorInovis Inc. -Original 
Message- From: Mr Clark [mailto:[EMAIL PROTECTED]] 
Sent: Monday, July 07, 2003 10:52 AM To: 
[EMAIL PROTECTED] Subject: RE: [ActiveDir] AD, 
Logon times  Custom messages Well, I 
just wanted to customize the message for my kids when they 
try to *sneak* on the computer during the middle of the 
night. :) As another thought, is there a way to 
"log" when someone tries to sign on at a 

RE: [ActiveDir] First AD Domain?

[deji]

I think both should be considered together. Example.net will be at the top (empty 
forest root) and ad.example.net will be the production child domain where you have all 
the user accounts and resources. Makes it easier when it comes time for 
aquisition/merger/spin-off/political and diplomatic empire building, IMO.
 
As for one being better than the other, it's a matter of taste.
 
HTH
 
 
Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Cary, Mark
Sent: Tue 7/8/2003 8:28 AM
To: '[EMAIL PROTECTED]'
Subject: [ActiveDir] First AD Domain?



I am wondering if there is a preferred location for the first (AKA root)
domain in a AD forest given these parameters.

Company name is example and they have a Internet presence at example.com.
They have registered example.net for there AD DNS structure.  example.net
will never be resolvable in the public namespace. 

Is there any reason why one of these options is better than the other?
1) example.net
2) ad.example.net


Thanks,


The information contained in this message is confidential and is intended
for the addressee(s) only.  If you have received this message in error or
there are any problems please notify the originator immediately.  The
unauthorized use, disclosure, copying or alteration of this message is
strictly forbidden. Badger Meter, Inc. will not be liable for direct,
special, indirect or consequential damages arising from alteration of the
contents of this message by a third party or as a result of any virus being
passed on.

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

RE: [ActiveDir] First AD Domain?

[Roger Seielstad]

Title: Message



Actually, a better strategy to use for M/A/D activities 
(merger/acquisition/divestiture) activities is to use domain name(s) which are 
completely removed from the company's name. 

One 
of my two unofficial titles while we were part of a larger company was "Iron 
Chef - Migration". I'm none too happy to never do another M/A/D activity in my 
career...
-- 
Roger D. Seielstad - 
MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. 

  
  -Original Message-From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 1:54 
  PMTo: [EMAIL PROTECTED]Subject: RE: 
  [ActiveDir] First AD Domain?
  
  I think both should be 
  considered together. Example.net will be at the top (empty forest root) and 
  ad.example.net will be the production child domain where you have all the user 
  accounts and resources. Makes it easier when it comes time for 
  aquisition/merger/spin-off/political and diplomatic empire building, 
  IMO.
  
  As for one being "better" than the other, 
  it's a matter of taste.
  
  HTH
  
  
  
  
  Sincerely,Dj Akmlf, 
  MCSE MCSA 
  MCP+Iwww.akomolafe.comwww.iyaburo.comDo you 
  now realize that Today is the Tomorrow you were worried about Yesterday? 
  -anon
  
  
  From: [EMAIL PROTECTED] on 
  behalf of Cary, MarkSent: Tue 7/8/2003 8:28 AMTo: 
  '[EMAIL PROTECTED]'Subject: [ActiveDir] First AD 
  Domain?
  
  I am wondering if there is a preferred location for the first 
  (AKA root)domain in a AD forest given these parameters.Company 
  name is example and they have a Internet presence at example.com.They have 
  registered example.net for there AD DNS structure. example.netwill 
  never be resolvable in the public namespace.Is there any reason 
  why one of these options is better than the other?1) example.net2) 
  ad.example.netThanks,The information contained in this 
  message is confidential and is intendedfor the addressee(s) only. If 
  you have received this message in error orthere are any problems please 
  notify the originator immediately. Theunauthorized use, disclosure, 
  copying or alteration of this message isstrictly forbidden. Badger Meter, 
  Inc. will not be liable for direct,special, indirect or consequential 
  damages arising from alteration of thecontents of this message by a third 
  party or as a result of any virus beingpassed on.List 
  info : http://www.activedir.org/mail_list.htmList 
  FAQ : http://www.activedir.org/list_faq.htmList 
  archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Identity Management using AD

[Myrick, Todd (NIH/CIT)]

Title: Message



My 
spell checker broke my joke...

I ment 
to say Marchitecture. As in Marketing Architecture.

I 
think the who IIS part is just a bad thing..

Todd

  
  -Original Message-From: Myrick, Todd 
  (NIH/CIT) Sent: Tuesday, July 08, 2003 1:02 PMTo: 
  '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Identity 
  Management using AD
  Yes 
  it is a new Architecture product from MMicrosoft. 
  
  The 
  next question should be does it use IIS?
  
  Todd
  

-Original Message-From: Thommes, 
Michael M. [mailto:[EMAIL PROTECTED] Sent: Tuesday, July 08, 2003 
11:57 AMTo: [EMAIL PROTECTED]Subject: RE: 
[ActiveDir] Identity Management using AD
I've been told that MIIS is really just MMS 3.0 renamed. The 
description of the software would seem to indicate so. Is this 
true?

Mike Thommes
Argonne National Laboratory

  -Original Message-From: Myrick, Todd (NIH/CIT) 
  [mailto:[EMAIL PROTECTED]Sent: Tuesday, July 08, 2003 9:12 
  AMTo: '[EMAIL PROTECTED]'Subject: RE: 
  [ActiveDir] Identity Management using AD
  We are in the process of evaluating MIIS here, and AD is currently 
  our source for authentication information, for Enterprise application, we 
  are using a custom database running on Critical Path to sync with other 
  application directories, and get a metaview of the information for 
  identity management. Currently no one allows the metaview write 
  access anywhere.
  
  I hope our testing and subsequent deployment will allow for a more 
  standardized approach like what was described below.
  
  To build on what Gil wrote, The reason why SQL server was 
  used to store identity information, was probably because it was a metaview 
  of all the relevant data needed to construct an employee including privacy 
  information. Active Directory doesn't need access to privacy 
  information (SSN#, DOB, etc) nor do many LDAP applications. The nice 
  thing about MIIS, is that it can create that metaview for you and store it 
  in a SQL server. So if your privacy information is only stored in 
  the HR system, and Payroll, Then you can set ACL's on the info so only 
  those systems get that info.
  
  If you are getting into directories for both network access and 
  Enterprise Resource and Application use, I suggest subscribing to the 
  Burton Group papers on Enterprise directory, and constructing your 
  architecture based on some of their principals. Now if we could only 
  find a group willing to figure out the Laws of directories we would be 
  golden... Maybe Murphy is already doing them.
  
  Todd
  

-Original Message-From: Gil 
Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 
2003 5:30 PMTo: 
'[EMAIL PROTECTED]'Subject: RE: [ActiveDir] 
Identity Management using AD
MSFT internally uses SQL Server as the authoritative store for 
identity information, and populates AD from that.

  
  -Original Message-From: Glenn 
  Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, 
  July 03, 2003 7:00 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Identity 
  Management using AD
  All,
  
  We are in the process of redefining our 
  Internet-enabled applications with a view to a centralised 
  customer/client database. There has been quite a bit of 
  discussion regarding using AD as this "customer store", since AD will 
  already be in this environment.
  
  I'm a bit hesitant to recommend "vanilla" 
  AD for this task, however I can see a number of benefits to this 
  approach, as the support monkeys can manage the entire environment 
  using the same tools they use to manage the production environment 
  (ADUC etc).
  
  I've been reading up on the information 
  regarding MIIS (what little there is), and can see some potential for 
  a configuration such as this, eg:
  
  - Use AD to store the "core" customer 
  information (user name, password, basic details)
  - Use ADAM or SQL (or whatever) for each 
  application to store application specific extensions (so I don't end 
  up with a blown out schema in AD with thousands of additional props 
  for user objects)
  - Use MIIS as the Authentication / 
  Identity management front end, and use it to sync these disparate 
  databases to ensure some semblance of "sameness" between 
  them.
  - Also use some of the MIIS features such 
  as provisioning etc to ease the management overhead.
  
  Applications could use AD to authenticate 
  the customer 

Re: [ActiveDir] Proxy Server

[Richard Sumilang]

I assume that will work for whatever browser they are using correct 
(doesn't have to be IE)?

On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

Using GPO:

User Configuration
   Windows Settings
   -Connection
  -Proxy Settings
You can use IEAK for similar thing, but why do more work, eh?

Enjoy.

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Richard Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server


I'm running DHCP from my Windows 2000 Server for all my clients on the
network and I just recently setup a proxy server on another computer.
How can I apply the proxy server's information without having to walk
to everyones computer?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Proxy Server

[Richard Sumilang]

Oh wait, hmmm that's only good for IE. Is there a way to do it 
regardless of their browser?

On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

Using GPO:

User Configuration
   Windows Settings
   -Connection
  -Proxy Settings
You can use IEAK for similar thing, but why do more work, eh?

Enjoy.

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about 
Yesterday?  -anon



From: [EMAIL PROTECTED] on behalf of Richard Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server


I'm running DHCP from my Windows 2000 Server for all my clients on the
network and I just recently setup a proxy server on another computer.
How can I apply the proxy server's information without having to walk
to everyones computer?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/

winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Duncan, Larry]

Title: [ActiveDir] Proxy Server









Well, one benefit of going ahead and using
IEAK is that if you use the Auto Config feature and change your
settings/environment after the initial deployment of your IEAK package, then you
can simply update the .INS file and the settings will be applied during the
next synchronization. 



For example here is the [Proxy] section of
our AutoConfig INS file:



[Proxy]

HTTP_Proxy_Server=

FTP_Proxy_Server=

Gopher_Proxy_Server=

Secure_Proxy_Server=

Socks_Proxy_Server=

Use_Same_Proxy=1

Proxy_Enable=0

Proxy_Override=local





-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July
 08, 2003 2:05 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Proxy
Server







Using
GPO:











User Configuration





 Windows Settings






-Connection






-Proxy Settings











You can use IEAK for similar thing,
but why do more work, eh?

















Enjoy.

















Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that
Today is the Tomorrow you were worried about Yesterday? -anon

















From: [EMAIL PROTECTED]
on behalf of Richard Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server





I'm running DHCP from my Windows 2000 Server for all
my clients on the
network and I just recently setup a proxy server on another computer.
How can I apply the proxy server's information without having to walk
to everyones computer?

List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Salandra, Justin A.]

GPO, there is a setting in the Computer Configuration section I believe

 -Original Message-
From:   Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent:   Tuesday, July 08, 2003 2:47 PM
To: [EMAIL PROTECTED]
Subject:[ActiveDir] Proxy Server

I'm running DHCP from my Windows 2000 Server for all my clients on the 
network and I just recently setup a proxy server on another computer. 
How can I apply the proxy server's information without having to walk 
to everyones computer?

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Duncan, Larry]

Actually, I don't think so. The GPO path reference below appears to be
missing the Internet Explorer Maintenance entry under Windows Settings.
This would lead me to believe that it is a Microsoft-centric policy setting.

-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 2:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server

I assume that will work for whatever browser they are using correct 
(doesn't have to be IE)?


On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

 Using GPO:

 User Configuration
Windows Settings
-Connection
   -Proxy Settings

 You can use IEAK for similar thing, but why do more work, eh?

 Enjoy.


 Sincerely,

 Dèjì Akómöláfé, MCSE MCSA MCP+I
 www.akomolafe.com
 www.iyaburo.com
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday?  -anon

 

 From: [EMAIL PROTECTED] on behalf of Richard Sumilang
 Sent: Tue 7/8/2003 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Proxy Server



 I'm running DHCP from my Windows 2000 Server for all my clients on the
 network and I just recently setup a proxy server on another computer.
 How can I apply the proxy server's information without having to walk
 to everyones computer?

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/


 winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Duncan, Larry]

Besides a hardware solution, both browser platforms support Proxy
Auto-Configuration (PAC) files. But, this is a last-ditch effort by those in
the know. IE, in particular, has been known to dislike PACs.

Another alternative is to use the login script to modify the registry. Not
pretty, but it works. 

-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 2:30 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server

Oh wait, hmmm that's only good for IE. Is there a way to do it 
regardless of their browser?


On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

 Using GPO:

 User Configuration
Windows Settings
-Connection
   -Proxy Settings

 You can use IEAK for similar thing, but why do more work, eh?

 Enjoy.


 Sincerely,

 Dèjì Akómöláfé, MCSE MCSA MCP+I
 www.akomolafe.com
 www.iyaburo.com
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday?  -anon

 

 From: [EMAIL PROTECTED] on behalf of Richard Sumilang
 Sent: Tue 7/8/2003 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Proxy Server



 I'm running DHCP from my Windows 2000 Server for all my clients on the
 network and I just recently setup a proxy server on another computer.
 How can I apply the proxy server's information without having to walk
 to everyones computer?

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/


 winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Robinson, Chuck]

DHCP Scope Options?
 

-Original Message- 
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tue 7/8/2003 3:29 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [ActiveDir] Proxy Server



Oh wait, hmmm that's only good for IE. Is there a way to do it
regardless of their browser?


On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

 Using GPO:

 User Configuration
Windows Settings
-Connection
   -Proxy Settings

 You can use IEAK for similar thing, but why do more work, eh?

 Enjoy.


 Sincerely,

 Dj Akmlf, MCSE MCSA MCP+I
 www.akomolafe.com
 www.iyaburo.com
 Do you now realize that Today is the Tomorrow you were worried about
 Yesterday?  -anon

 

 From: [EMAIL PROTECTED] on behalf of Richard Sumilang
 Sent: Tue 7/8/2003 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Proxy Server



 I'm running DHCP from my Windows 2000 Server for all my clients on the
 network and I just recently setup a proxy server on another computer.
 How can I apply the proxy server's information without having to walk
 to everyones computer?

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/


 winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

Re: [ActiveDir] Proxy Server

[Richard Sumilang]

Thats why everyone should use a Mac!!! Hehehe, with my mac I can just 
specify it in my Network Settings for the system and that should work 
for all my browsers. Anyways since we are bringing up GPO, I have a 
finger to pick with that. For some reason my group policies are only 
getting applied on the server computers and not the workstations? Any 
ideas?

On Tuesday, July 8, 2003, at 12:44  PM, Duncan, Larry wrote:

Actually, I don't think so. The GPO path reference below appears to be
missing the Internet Explorer Maintenance entry under Windows 
Settings.
This would lead me to believe that it is a Microsoft-centric policy 
setting.

-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 2:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server
I assume that will work for whatever browser they are using correct
(doesn't have to be IE)?
On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

Using GPO:

User Configuration
   Windows Settings
   -Connection
  -Proxy Settings
You can use IEAK for similar thing, but why do more work, eh?

Enjoy.

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon


From: [EMAIL PROTECTED] on behalf of Richard Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server


I'm running DHCP from my Windows 2000 Server for all my clients on the
network and I just recently setup a proxy server on another computer.
How can I apply the proxy server's information without having to walk
to everyones computer?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

[ActiveDir] admt 2.0 - nt4 computer migration

[Graham Turner]

Am attempting the migration of computer from NT4 source domain to Windows
2000 target domain.

the migration environment is working fine with windows 2000 professional
clients

have got issues with the migration of an NT4 workstation

the extract from dispatch.log on the admt server is attached from which i am
hoping to get a few clues as to the access denied

have checked the obvious issues such as sourcedom\domain admins being a
member of the local administrators group and the computer migration being
run while logged an as a member of that sourcedom\domain admins group

Thanks

GT



sp94781.doc
Description: MS-Word document

RE: [ActiveDir] Proxy Server

[Salandra, Justin A.]

Check under the Computer Configuration side of the GPO

 -Original Message-
From:   Duncan, Larry [mailto:[EMAIL PROTECTED] 
Sent:   Tuesday, July 08, 2003 3:44 PM
To: '[EMAIL PROTECTED]'
Subject:RE: [ActiveDir] Proxy Server

Actually, I don't think so. The GPO path reference below appears to be
missing the Internet Explorer Maintenance entry under Windows Settings.
This would lead me to believe that it is a Microsoft-centric policy setting.

-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 2:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server

I assume that will work for whatever browser they are using correct 
(doesn't have to be IE)?


On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

 Using GPO:

 User Configuration
Windows Settings
-Connection
   -Proxy Settings

 You can use IEAK for similar thing, but why do more work, eh?

 Enjoy.


 Sincerely,

 Dèjì Akómöláfé, MCSE MCSA MCP+I
 www.akomolafe.com
 www.iyaburo.com
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday?  -anon

 

 From: [EMAIL PROTECTED] on behalf of Richard Sumilang
 Sent: Tue 7/8/2003 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Proxy Server



 I'm running DHCP from my Windows 2000 Server for all my clients on the
 network and I just recently setup a proxy server on another computer.
 How can I apply the proxy server's information without having to walk
 to everyones computer?

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/


 winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Darren Mar-Elia]

Richard-
Where are the GPOs linked? Have you checked permissions on them to ensure that the 
workstation machine accounts have Read and Apply Group Policy perms? Authenticated 
Users will do. 



-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 1:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server


Thats why everyone should use a Mac!!! Hehehe, with my mac I can just 
specify it in my Network Settings for the system and that should work 
for all my browsers. Anyways since we are bringing up GPO, I have a 
finger to pick with that. For some reason my group policies are only 
getting applied on the server computers and not the workstations? Any 
ideas?


On Tuesday, July 8, 2003, at 12:44  PM, Duncan, Larry wrote:

 Actually, I don't think so. The GPO path reference below appears to be 
 missing the Internet Explorer Maintenance entry under Windows 
 Settings. This would lead me to believe that it is a Microsoft-centric 
 policy setting.

 -Original Message-
 From: Richard Sumilang [mailto:[EMAIL PROTECTED]
 Sent: Tuesday, July 08, 2003 2:27 PM
 To: [EMAIL PROTECTED]
 Subject: Re: [ActiveDir] Proxy Server

 I assume that will work for whatever browser they are using correct 
 (doesn't have to be IE)?


 On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

 Using GPO:

 User Configuration
Windows Settings
-Connection
   -Proxy Settings

 You can use IEAK for similar thing, but why do more work, eh?

 Enjoy.


 Sincerely,

 Dèjì Akómöláfé, MCSE MCSA MCP+I
 www.akomolafe.com
 www.iyaburo.com
 Do you now realize that Today is the Tomorrow you were worried about 
 Yesterday?  -anon

 

 From: [EMAIL PROTECTED] on behalf of Richard 
 Sumilang
 Sent: Tue 7/8/2003 11:47 AM
 To: [EMAIL PROTECTED]
 Subject: [ActiveDir] Proxy Server



 I'm running DHCP from my Windows 2000 Server for all my clients on 
 the network and I just recently setup a proxy server on another 
 computer. How can I apply the proxy server's information without 
 having to walk to everyones computer?

 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/


 winmail.dat
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
 List info   : http://www.activedir.org/mail_list.htm
 List FAQ: http://www.activedir.org/list_faq.htm
 List archive: 
 http://www.mail-archive.com/activedir%40mail.activedir.org/



List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt 2.0 - nt4 computer migration

[Duncan, Larry]

While continuing my interest in this issue, I came across the following
Q-article that seems dead-on:

http://support.microsoft.com/default.aspx?scid=kb;en-us;316073


-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 3:24 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt 2.0 - nt4 computer migration

Am attempting the migration of computer from NT4 source domain to Windows
2000 target domain.

the migration environment is working fine with windows 2000 professional
clients

have got issues with the migration of an NT4 workstation

the extract from dispatch.log on the admt server is attached from which i am
hoping to get a few clues as to the access denied

have checked the obvious issues such as sourcedom\domain admins being a
member of the local administrators group and the computer migration being
run while logged an as a member of that sourcedom\domain admins group

Thanks

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Proxy Server

[Richard Sumilang]

How so? 072 World Wide Web Servers?

On Tuesday, July 8, 2003, at 01:04  PM, Robinson, Chuck wrote:

DHCP Scope Options?

-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Tue 7/8/2003 3:29 PM
To: [EMAIL PROTECTED]
Cc:
Subject: Re: [ActiveDir] Proxy Server


	Oh wait, hmmm that's only good for IE. Is there a way to do it
	regardless of their browser?
	
	
	On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:
	
	 Using GPO:
	
	 User Configuration
	Windows Settings
	-Connection
	   -Proxy Settings
	
	 You can use IEAK for similar thing, but why do more work, eh?
	
	 Enjoy.
	
	
	 Sincerely,
	
	 Dèjì Akómöláfé, MCSE MCSA MCP+I
	 www.akomolafe.com
	 www.iyaburo.com
	 Do you now realize that Today is the Tomorrow you were worried about
	 Yesterday?  -anon
	
	 
	
	 From: [EMAIL PROTECTED] on behalf of Richard 
Sumilang
	 Sent: Tue 7/8/2003 11:47 AM
	 To: [EMAIL PROTECTED]
	 Subject: [ActiveDir] Proxy Server
	
	
	
	 I'm running DHCP from my Windows 2000 Server for all my clients on 
the
	 network and I just recently setup a proxy server on another 
computer.
	 How can I apply the proxy server's information without having to 
walk
	 to everyones computer?
	
	 List info   : http://www.activedir.org/mail_list.htm
	 List FAQ: http://www.activedir.org/list_faq.htm
	 List archive:
	 http://www.mail-archive.com/activedir%40mail.activedir.org/
	
	
	 winmail.dat
	List info   : http://www.activedir.org/mail_list.htm
	List FAQ: http://www.activedir.org/list_faq.htm
	List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
	

winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] admt 2.0 - nt4 computer migration

[Duncan, Larry]

Has the Everyone group been added to the Pre-Windows 2000 Compatible
Access group in the new domain? 


-Original Message-
From: Graham Turner [mailto:[EMAIL PROTECTED] 
Sent: Tuesday, July 08, 2003 3:24 PM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] admt 2.0 - nt4 computer migration

Am attempting the migration of computer from NT4 source domain to Windows
2000 target domain.

the migration environment is working fine with windows 2000 professional
clients

have got issues with the migration of an NT4 workstation

the extract from dispatch.log on the admt server is attached from which i am
hoping to get a few clues as to the access denied

have checked the obvious issues such as sourcedom\domain admins being a
member of the local administrators group and the computer migration being
run while logged an as a member of that sourcedom\domain admins group

Thanks

GT

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

RE: [ActiveDir] Proxy Server

[Robinson, Chuck]

Check out KB
http://support.microsoft.com/default.aspx?scid=kb%3ben-us%3b252898
 
I haven't used this feature, thought it could be relevant.
 

-Original Message- 
From: Richard Sumilang [mailto:[EMAIL PROTECTED] 
Sent: Tue 7/8/2003 4:49 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: Re: [ActiveDir] Proxy Server



How so? 072 World Wide Web Servers?


On Tuesday, July 8, 2003, at 01:04  PM, Robinson, Chuck wrote:

 DHCP Scope Options?


   -Original Message-
   From: Richard Sumilang [mailto:[EMAIL PROTECTED]
   Sent: Tue 7/8/2003 3:29 PM
   To: [EMAIL PROTECTED]
   Cc:
   Subject: Re: [ActiveDir] Proxy Server
  
  

   Oh wait, hmmm that's only good for IE. Is there a way to do it
   regardless of their browser?
  
  
   On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:
  
Using GPO:
   
User Configuration
   Windows Settings
   -Connection
  -Proxy Settings
   
You can use IEAK for similar thing, but why do more work, eh?
   
Enjoy.
   
   
Sincerely,
   
Dj Akmlf, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon
   

   
From: [EMAIL PROTECTED] on behalf of Richard
 Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server
   
   
   
I'm running DHCP from my Windows 2000 Server for all my clients on
 the
network and I just recently setup a proxy server on another
 computer.
How can I apply the proxy server's information without having to
 walk
to everyones computer?
   
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
   
   
winmail.dat
   List info   : http://www.activedir.org/mail_list.htm
   List FAQ: http://www.activedir.org/list_faq.htm
   List archive:
 http://www.mail-archive.com/activedir%40mail.activedir.org/
  

 winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/


winmail.dat

Re: [ActiveDir] Proxy Server

[Richard Sumilang]

Workstation machine accounts? I don't think so nor recall anything 
about that? As for Authenticated Users group, yes.



On Tuesday, July 8, 2003, at 01:48  PM, Darren Mar-Elia wrote:

Richard-
Where are the GPOs linked? Have you checked permissions on them to 
ensure that the workstation machine accounts have Read and Apply Group 
Policy perms? Authenticated Users will do.



-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 1:18 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server
Thats why everyone should use a Mac!!! Hehehe, with my mac I can just
specify it in my Network Settings for the system and that should work
for all my browsers. Anyways since we are bringing up GPO, I have a
finger to pick with that. For some reason my group policies are only
getting applied on the server computers and not the workstations? Any
ideas?
On Tuesday, July 8, 2003, at 12:44  PM, Duncan, Larry wrote:

Actually, I don't think so. The GPO path reference below appears to be
missing the Internet Explorer Maintenance entry under Windows
Settings. This would lead me to believe that it is a Microsoft-centric
policy setting.
-Original Message-
From: Richard Sumilang [mailto:[EMAIL PROTECTED]
Sent: Tuesday, July 08, 2003 2:27 PM
To: [EMAIL PROTECTED]
Subject: Re: [ActiveDir] Proxy Server
I assume that will work for whatever browser they are using correct
(doesn't have to be IE)?
On Tuesday, July 8, 2003, at 12:05  PM, [EMAIL PROTECTED] wrote:

Using GPO:

User Configuration
   Windows Settings
   -Connection
  -Proxy Settings
You can use IEAK for similar thing, but why do more work, eh?

Enjoy.

Sincerely,

Dèjì Akómöláfé, MCSE MCSA MCP+I
www.akomolafe.com
www.iyaburo.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday?  -anon


From: [EMAIL PROTECTED] on behalf of Richard
Sumilang
Sent: Tue 7/8/2003 11:47 AM
To: [EMAIL PROTECTED]
Subject: [ActiveDir] Proxy Server


I'm running DHCP from my Windows 2000 Server for all my clients on
the network and I just recently setup a proxy server on another
computer. How can I apply the proxy server's information without
having to walk to everyones computer?
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
winmail.dat
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/

List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: 
http://www.mail-archive.com/activedir%40mail.activedir.org/


List info   : http://www.activedir.org/mail_list.htm
List FAQ: http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/

Re: [ActiveDir] Identity Management using AD

[Glenn Corbett]

Title: Message



Thanks Todd.

At the moment, we arent hugely concerned about 
putting *some* privacy information into AD, as this instance of AD will only be 
for our external clients, and the attribute level ACL's provided by AD should 
provide enough security to stop certain applications / users from seeing this 
information. That being said, we are looking into the appropiate laws / 
leglislation / statutes regarding privacy and the storage of personal 
information to make sure we are covered from that aspect.

I've done the required high level checking, 
andAD shouldnt have any trouble storing the amount and type of information 
we require (up to 6-8 million user objects, several thousand groups etc), its 
really down to the following questions:

a) Is AD an *appropiate* store for this sort of 
information (my answer would be yes, based on the Authentication / Authorisation 
provided by AD)
b) What sorts of information should be stored in AD 
(I'll be pointing out the often read / rarely written aspects of 
AD)
c) for application specific extensions, is this 
appropiate to store in AD (my current thinking is NO, as I'll end up with 
several hundred additional user properties, better to store them elsewhere and 
sync)
d) in relation to c, if not in AD, then where, and 
how to keep these disprate databases in sync
e) What management tools / processes are required 
to manage a 6-8 million user AD, and what are the associated security 
implications (eg exposing the admin interfaces to the internet, as opposed to 
just internal exposure)
f) What other solutions are available that may be 
able to provide the Authentication / Authorisation that is required (mention has 
been made of Passport etc, and how would this tie in with AD - if at 
all)
g) What additional authentication methods can be 
layered on AD to provide additional levels of authentication (Certifications, 
SmartCards, Biometrics etc)- I know AD can do all these, its really how to 
integrate them, and the associated security / management 
implications.
h) What are some of the constraints on AD that 
could be an issue down the track (like the X users in a group problem under 
2k).
i) Why me ?? *grin*

I'm sure Murphy was the first one out with a book 
:P

Glenn


  - Original Message - 
  From: 
  Myrick, Todd 
  (NIH/CIT) 
  To: '[EMAIL PROTECTED]' 
  
  Sent: Wednesday, July 09, 2003 12:11 
  AM
  Subject: RE: [ActiveDir] Identity 
  Management using AD
  
  We 
  are in the process of evaluating MIIS here, and AD is currently our source for 
  authentication information, for Enterprise application, we are using a custom 
  database running on Critical Path to sync with other application directories, 
  and get a metaview of the information for identity management. Currently 
  no one allows the metaview write access anywhere.
  
  I 
  hope our testing and subsequent deployment will allow for a more standardized 
  approach like what was described below.
  
  To 
  build on what Gil wrote, The reason why SQL server was used to store 
  identity information, was probably because it was a metaview of all the 
  relevant data needed to construct an employee including privacy 
  information. Active Directory doesn't need access to privacy information 
  (SSN#, DOB, etc) nor do many LDAP applications. The nice thing about 
  MIIS, is that it can create that metaview for you and store it in a SQL 
  server. So if your privacy information is only stored in the HR system, 
  and Payroll, Then you can set ACL's on the info so only those systems get that 
  info.
  
  If 
  you are getting into directories for both network access and Enterprise 
  Resource and Application use, I suggest subscribing to the Burton Group papers 
  on Enterprise directory, and constructing your architecture based on some of 
  their principals. Now if we could only find a group willing to figure 
  out the Laws of directories we would be golden... Maybe Murphy is already 
  doing them.
  
  Todd
  

-Original Message-From: Gil 
Kirkpatrick [mailto:[EMAIL PROTECTED] Sent: Monday, July 07, 2003 
5:30 PMTo: '[EMAIL PROTECTED]'Subject: RE: 
[ActiveDir] Identity Management using AD
MSFT internally uses SQL Server as the authoritative store for 
identity information, and populates AD from that.

  
  -Original Message-From: Glenn 
  Corbett [mailto:[EMAIL PROTECTED] Sent: Thursday, July 
  03, 2003 7:00 AMTo: 
  [EMAIL PROTECTED]Subject: [ActiveDir] Identity 
  Management using AD
  All,
  
  We are in the process of redefining our 
  Internet-enabled applications with a view to a centralised customer/client 
  database. There has been quite a bit of discussion regarding using 
  AD as this "customer store", since AD will already be in this 
  environment.
  
  I'm a bit hesitant to recommend "vanilla" AD 
  for this task, however I can see a number of 

RE: [ActiveDir] Identity Management using AD

[Rick Kingslan]

Title: Message



Glenn, 

Interesting questions, and I'd like to take a shot at 
lending an opinion on some of these points. Firstly, privacy seems to have 
become a trure art form in the States. From Graham-Leach-Bliley to HIPPA, 
we're regulated to the n-th degree. I'm not sure if it's good or bad - but 
it's something to be aware of. Then, to the other extreme - the Higher 
Educationalsystem where the 1st Amendment meets rational thought and 
security. ;-)

a) I agree 100% I think AD is a very well designed 
store for this type of storage - given that triple-A is available out of the box 
(authorization, authentication, auditing)
b) True - fairly static - not changing much. Just 
enough to keep the Identity portion in place.
c) Nope - see D
d)ADAM - Active Directory Application Mode. 
Synching available, greater level with MMS (MIIS??) multiple instances and truly 
designed for the application depository
e) Joe is going to be the man to answer this - he's been 
doing the massive number management function - though I don't think to this 
number. ;-)
f) Passport (and to some degree, rightly so) has been beat 
up pretty badly However, in your environment, Passport may be more viable 
than how it is being leveraged by MS
g) Heh - layering these things is possible, though it 
can get hairy to manage. Mapping of certs to names / objects, expansion of 
schema for new funtion to handle biometrics, and the smart card option is all 
pretty good - but smart card is going to leverage certs to some degree at some 
level Not knowing what price level / sensitivity of data / regulations you 
are delaing with makes it a bit hard for me to suggest anything, but any 
layering is obviously going to raise the price becasue of the complexity / added 
hardware / software and added processor for keyed type 
solutions
h) Can't say that I've run into any or know of anyone that 
has (well - not completely true I know Gary Olsen with HP, and he ran into the 
KCC issue mentioned in a moment)- obviously, they are there. 
Microsoft claims to have tested to billions of objects - and I have no reason to 
not believe this to be true. TheKCC topology(KCC cannot work 
if (1 + #Domains) x sites^2  100,000) issue of Windows 2000 does indicate 
that there are issues here and there. They get fixed, but usually are big 
fixes. In the case of the KCC issue, it's fixed in Server 2003, but only 
once you get to 2003 Forest Functional mode. That's a big 
move.
i) Because it's there. Oh, wait! That's for 
mountains. never mind.


Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active 
DirectoryAssociate ExpertExpert Zone - 
www.microsoft.com/windowsxp/expertzone 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Glenn 
CorbettSent: Tuesday, July 08, 2003 6:36 PMTo: 
[EMAIL PROTECTED]Subject: Re: [ActiveDir] Identity 
Management using AD

Thanks Todd.

At the moment, we arent hugely concerned about 
putting *some* privacy information into AD, as this instance of AD will only be 
for our external clients, and the attribute level ACL's provided by AD should 
provide enough security to stop certain applications / users from seeing this 
information. That being said, we are looking into the appropiate laws / 
leglislation / statutes regarding privacy and the storage of personal 
information to make sure we are covered from that aspect.

I've done the required high level checking, 
andAD shouldnt have any trouble storing the amount and type of information 
we require (up to 6-8 million user objects, several thousand groups etc), its 
really down to the following questions:

a) Is AD an *appropiate* store for this sort of 
information (my answer would be yes, based on the Authentication / Authorisation 
provided by AD)
b) What sorts of information should be stored in AD 
(I'll be pointing out the often read / rarely written aspects of 
AD)
c) for application specific extensions, is this 
appropiate to store in AD (my current thinking is NO, as I'll end up with 
several hundred additional user properties, better to store them elsewhere and 
sync)
d) in relation to c, if not in AD, then where, and 
how to keep these disprate databases in sync
e) What management tools / processes are required 
to manage a 6-8 million user AD, and what are the associated security 
implications (eg exposing the admin interfaces to the internet, as opposed to 
just internal exposure)
f) What other solutions are available that may be 
able to provide the Authentication / Authorisation that is required (mention has 
been made of Passport etc, and how would this tie in with AD - if at 
all)
g) What additional authentication methods can be 
layered on AD to provide additional levels of authentication (Certifications, 
SmartCards, Biometrics etc)- I know AD can do all these, its really how to 
integrate them, and the associated security / management 
implications.
h) What are some of the constraints on AD that 
could be an issue down the track (like the X