What I mean by 'I can't imagine all of the explicit grants' is where I probably need to have a clearer explanation on what you are doing if you're NOT using Globals (I'll leave Unis out of it) in a multi-domain environment. What I mean is this: I have a resource in DomainA that userB needs to get to from DomainB. We'll assume that DLGA is managing permissions to the resource. If that user is a member of DLGB in DomainB, I can't get him to DLGA in DomainA - Unless there is something that I'm really missing (Because I can't make a DLG a member of a DLG in another domain). In my experience - you have two options: * Explicitly grant the user membership to DLGA * Create a Global group (GGB), put the user in GGB, then make GGB a member of DLGA. So, please - enlighten me. You've opened my eyes before on things that I've just flat discounted. Clearly, I'm missing something here. As to Exchange, you and I have already beat the crap out of that dead horse. IMHO, the only way to fix the very flawed security model is to strip it down to protocol and database, and build from there. It's a mess with no possibility of real redemption or repair. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone
_____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Saturday, August 23, 2003 10:13 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NT Native Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands of machines). With W2K3 we will probably end up looking at Uni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Sunday, August 17, 2003 11:43 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know.... ;-) Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Sent: Sunday, August 17, 2003 12:38 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group We like to limit the security scope of the groups. Very difficult to chase permissions across the world when someone asks, what does this group have access to? At the worst, the permissions can only be applied within a specific geographic region or at least the machines that are part of it. Additionally, DLG's can take members from all domains and we don't have to have two or more groups for every resource being tied down (i.e. no user-global-local-permission nesting). People can do as much DLG nesting as they feel they may want to do which is ok. Resolution of the groups is easy as you don't have to have DC's chasing over to other Domain's DC's for the resolution. All of our permissions on the directory are grant perms with passive denies and most of that delegation is within the default partitions so it all works well. I HATE active denies, troubleshooting is a nightmare when you have to chase through that. Exchange has been a bit of a challenge since the E2K Dev guys figured AD was specifically built for them and so they just figured anything they thought was good for Exchange was good for an entire company but I will let you know how we fair with that in the end and they figured they should just put everything important to them in the config container. Personally I think that MS has to treat Exchange like a foreign app that they purchased and do the whole rewrite from the ground up strategy but this time use people who actually understand the directory they are trying to tie into. Also this time make heavy use of AD/AM, no point in all of that data being sent over an entire company when they use a centralized Exchange architecture. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, August 16, 2003 10:59 PM To: AD mailing list (Send) Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group "Put down the beer Rick", come now - Rick is far too sophisticated to be drinking beer ... "Put down the Beaujolais" seems more apt (actually, with all that crap said ... I know for a fact he drinks beer ... the phrase like a fish actually springs to mind) - just teasing Rick! Joe, I was wondering why you choose to use mostly DLGs and if you've encountered any behavioral oddities when using them to assign permission to the directory itself. Dean -- Dean Wells MSEtechnology * Email: [EMAIL PROTECTED] http://msetechnology.com <http://msetechnology.com/> -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Sunday, August 17, 2003 10:46 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Put down the beer Rick... DC's have the local groups, especially administrators. If you didn't block you would get the specialgroup in your Domain Controllers administrators group. I have tens of thousands of local groups on my domains. We don't use Global/Universal except builting, everything else is DLG. joe -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Saturday, August 16, 2003 10:36 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Deji, Good example - I like it, but I'm curious on one thing. You state that you block it at Domain Controllers. I'm not sure why, as DCs have no local groups. If you're just being specifically cautious, great. Me, I don't see the need to block it at the DC OU as it won't affect anything. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Saturday, August 16, 2003 1:15 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group This is what I have in a batch file: net localgroup administrators if NOT %errorlevel%==0 GOTO :GERMAN net localgroup administrators /add myDomain\specialGroup GOTO :END :GERMAN net localgroup administratoren /add cmyDomain\specialGroup :END I then add the batch file to a Machine Startup GPO at the Domain Level, blocking it at the Domain Controllers. HTH Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon _____ From: [EMAIL PROTECTED] on behalf of Narkinsky, Brian Sent: Fri 8/15/2003 7:33 AM To: [EMAIL PROTECTED] Subject: [ActiveDir] Add junior admin to Local workstations admin group I need to add two users to the local administrators group of every machine in an OU. I've looked at restricted groups GPO but, this doesn't really seem to do what I want. I don't need to restrict just add. I am also looking at writing a script to run at boot ,but again not sure there isn't an easier way. Any Ideas? Brian Narkinsky List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
<<attachment: winmail.dat>>
