Is the scripting/cli information you're talking about here documented in either (or both) of these books? Looks like I might need to expand the library a bit...
-------------------------------------------------------------- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. > -----Original Message----- > From: Joe [mailto:[EMAIL PROTECTED] > Sent: Thursday, June 19, 2003 9:00 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] suggestions for OU delegation > information sources > > > Bob: I agree on the book recommendation. Chapter 4 is a > virtual mountain of good info. For the more involved/intense > AD Admin I would also point out and recommend Managing > Enterprise Active Directory Services (Robbie Allen/Richard > Puckett Addison Wesley Publishing). That book will probably > fly over the head of most AD Admins out there but the info is > really good, I especially was impressed on the section on > SDDLs. If they only could have had a few chapters on Exchange > 2K integration and how to make it less painful... :oP > > > Michael what specific things are you looking to delegate? As > a general rule I avoid the GUI's as the command line is > generally much more efficient and people are more consistent > when they run scripts than when they do things in the GUI. > With GUI I think ad hoc and you don't admin AD ad hoc or at > least you don't do it for long or else it will bite you. > Anyway if you give specifics of things you are looking for, > people on the list could recommend how to do it, etc. > > Such as how to delegate unlock capability to the HelpDesk > group on the users OU of domain.com > > dsacls "CN=Users,DC=domain,DC=com" /I:S /G > "Domain\HelpDesk":RPWP;lockoutTime;user > > Or reset password to the same group on the same OU > > dsacls "CN=Users,DC=domain,DC=com" /I:S /G > "Domain\HelpDesk":CA;"Reset Password";user > > Obviously the more delegation you do that fits patterns the > better the scripts pay off for you in terms of save time > realized and consistency of configuration. You can wrap > dsacls into a script or you can actually call and modify the > security descriptores directly. Writing scripts to do this > stuff at the command line usually starts giving benefits of > side tools that will let you do ACL audits and such a little > easier as well and best of all puts things in formats that > you want and can be set up to take advantage of things you > know are set up in specific ways in your environment. > > > > joe > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob > Sent: Thursday, June 19, 2003 6:02 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] suggestions for OU delegation > information sources > > > Some of the better coverage I've seen of the subject is in > Chapter 4 of Inside Active Directory: A System > Administrator's Guide (ISBN: 0-201-61621-1), By Sakari Kouti > and Mike Seitsonen > > If you don't have the book (highly recommended BTW) MS > published that particular chapter on TechNet. > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodt echnol/AD/windows2000/deploy/confeat/securead.asp -----Original Message----- From: Thommes, Michael M. [mailto:[EMAIL PROTECTED] Sent: Thursday, June 19, 2003 1:45 PM To: Active Directory Mailing List (E-mail) Hi All! As we continue to "flesh out" our AD structure, we are trying to give delegation authority for various objects in OUs to the appropriate groups. Being a "control freak", I don't want to give these groups full control over all of the objects in the OU since this is also where our user accounts sit. We've done some experimenting with modifying the delegwiz.inf file to create custom templates but find that information for exact permissions needed to do a particular task is somewhat scarce. Has anyone put together a custom delegwiz.inf file that we could "borrow" from? Is there any literature out there regarding delegation that someone would recommend? Any help is always appreciated! Thanks! Mike Thommes Argonne National Laboratory List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
