Thanks for the kind words guys. The Active Directory Cookbook (the tuna book :) is due to ship on Tuesday - Sept 23rd. It is intended to answer many of the "How do I ...?" questions you might have about AD (at least as many that would fit in 600 pages). Here is the TOC: http://rallenhome.com/books/adcookbook/toc.html
Here is a sample chapter: http://www.oreilly.com/catalog/activedckbk/chapter/ch08.pdf I'm taking requests for the next edition and for any suggestions I include I'll be sure to mention the requestor in the acknowledgements :-) Regards, Robbie Allen > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Saturday, September 20, 2003 6:46 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Add computers to domain permissions > > > "I was actually asked, we know you helped review it, but do > you think it is worth buying. I haven't seen what the O'Reilly's editors have > done to it since I last looked, but from what I saw, yes buy it." > > Even though my perspective might be tainted because of my ork > on the book - I would still highly recommend it. I have a very hard time > believing that the editorial staff could have messed this book up to the > point that it still ouldn't be one of the best available. > > And, Joe - like you, I am reviewing "Inside Active Directory" > 2/e What I've seen so far is pretty good. I'm heavily of the opinion that > they really only needed to do an update - which, so far is what I've seen. > > The 'Cat' book - completely forgot about it. And, honestly, > I don't know how. 'Deep' doesn't really even begin to explain it - it's a very > comprehensive book. > > And, though I'm not the programmer you are, I have a copy of > Gil's book (Thank You, Mr. Kirkpatrick and Ms. Dutcher!). I find it a steadfast > resource when trying to understand HOW something works at the > level below the interface. > > Joe, I do agree that there is no reference that lays out 'If > you want to delegate the ability to do X, apply these permissions here, > and at this level and apply inheritance to this SP'. I've used the > information from 'Inside AD' to figure out much of what I've needed to do - > sadly, most of it is still trial and error. > > So, Robbie - new chapters coming when? ;o) > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe > Sent: Saturday, September 20, 2003 5:12 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Add computers to domain permissions > > Yeah Robbie's book is pretty good. I wish I got commission as > I am pushing > it to a lot of people, the cookbook layout is a good thing > for that stuff. > 2nd Edition should be started now and could look like Grey's > Anatomy. I have > been thinking for a long while about setting up something > like that on my > site but due to time hadn't done it. I won't do it now for a > while even if I > have time so Robbie gets properly compensated for taking the > time to do it. > I was actually asked, we know you helped review it, but do > you think it is > worth buying. I haven't seen what the O'Reilly's editors have > done to it > since I last looked, but from what I saw, yes buy it. > > Inside AD is really good as well. The security section is > great as is the > schema info, we learned things in there and told MS PSS that > they didn't > know. I actually just reviewed pieces of the 2nd edition of > that one too, > again Sakari is doing a good job. I caught myself a couple of times > thinking, hmmm I didn't know that. > > I also like the Cat book (Active Directory by Alistar, 2nd > Edition help from > Robbie). Managing Enterprise Active Directory Services from > Richard and > Robbie - this is one of the deepest books I have seen. From > AD programming > standpoint I love Active Directory Programming from Gil. > > Overall though I don't think I have seen anything that really > lays out the > permissions and what you should delegate for different > functionaly roles. > That might make a good long chapter in the next cookbook. > Also Robbie, don't > forget the Exchange stuff in the next one. People need to be > thinking about > Exchange when doing stuff in AD otherwise they won't like > being raped later > when they install it. > > joe > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan > Sent: Friday, September 19, 2003 6:21 PM > To: [EMAIL PROTECTED] > > Well, I'll give you two. One is going to be Robbie Allen's > new book (due > shortly). I reviewed it for tech content, (as did a few > others here) and > it's good - lots of code and geared towards Windows > 2000/2003. It's called > "Active Directory Cookbook" and is being published by O'Reilly. > > http://www.amazon.com/exec/obidos/tg/detail/-/0596004648/qid=1 > 064009830/sr=1 > -3/ref=sr_1_3/103-2178319-6639029?v=glance > > The other one that I REALLY like as well is "Inside Active > Directory". This > book has an absolutely FANTASTIC chapter on AD security, > permissions, etc. > Overall, this is one of the best AD books I have (I don't > have Robbie's in > hand yet....;-) ) This book has been published by AW. @nd > Edition in the > works - I'd say late this year. > > http://www.amazon.com/exec/obidos/tg/detail/-/0201616211/ref=p > d_sbs_b_3/103- > 2178319-6639029?v=glance&s=books > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Fugleberg, David A > Sent: Friday, September 19, 2003 4:50 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Add computers to domain permissions > > Rick - this brings up an interesting point...it seems like > every time I want > to do something like this (figure out exactly what > permissions to set to > allow group X to do task Y and no more), I have to hunt, dig, > experiment, > etc. > > I don't own every AD book ever printed, and barely have time to fully > understand what's in the ones i have. Are there any good > references that > provide a 'cookbook' of common tasks and the minimum > permissions required > for them ? > > Dave > > -----Original Message----- > From: Rick Kingslan [mailto:[EMAIL PROTECTED] > Sent: Friday, September 19, 2003 4:41 PM > To: [EMAIL PROTECTED] > Subject: RE: [ActiveDir] Add computers to domain permissions > > > Every now and then this mass of e-mail I keep around has value. I'd > responded to a similar question a few months ago - so here is > the response > to that question: > > <SNIP> > > What you will likely need to do is to proceed along the > following lines: > > 1. Right click on the OU of your choice and go to Security. > 2. Select Advanced / Add / Select the group that you want to > accomplish the > task 3. By default, they should have READ, etc. Scroll down > and select > Allow Create / Delete Computer Objects 4. In the 'Apply on > to:' dialog, > select This Object and All Child Objects. > Hit 'Apply' to save what we have so far. > 5. Click 'Add' again in the Advanced Security dialog UI. > Select the group > for the task (same group as above). > 6. In the 'Apply on to:' select 'Computer Objects' and grant > Full Control > 7. Click 'OK' until you completely exit > > This should do the following: Allow the selected group to > Create and Delete > Computer Objects within the OU in which this delegation was > done (yep - > still delegation - not done through the Delegate Control > selection, but this > *IS* what goes on behind the scenes anyway....), then we delegated the > permission to fully control Computer Objects - allowing the ability to > create the various attributes that make up a computer object > - but only > computer objects, and nothing else. > > As you go through this exercise, it's interesting to note how many > permissions are associated with these objects. Notice that there is a > properties tab, too! This is what allows one to change the > name, etc., of > an object as this is a property of the object. > > Take your time as you go through this. If you get a grasp of > what happens > in this delegation, then the rest of your permissions tasks > will be much > easier. > > Good luck! > > </SNIP> > > BTW - you CAN delegate prmissions to the Computer Container > much in the same > manner. > > Rick Kingslan MCSE, MCSA, MCT > Microsoft MVP - Active Directory > Associate Expert > Expert Zone - www.microsoft.com/windowsxp/expertzone > > > > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Rimmerman, Russ > Sent: Friday, September 19, 2003 3:16 PM > To: '[EMAIL PROTECTED]' > Subject: [ActiveDir] Add computers to domain permissions > > > We have many remote sites and an OU for each remote site. > We're delegating > our site admins permissions to their site Ous, and creating > security group > restriction policies to grant them local admin permissions on > their user's > desktops. > > The problem we're having is the site admins can't join new PCs to the > domain. A Microsoft TS told us that AD will automatically > add a PC to an OU > that you have rights to, but this doesn't seem to be the > case. It appears > it's trying to add it to the builtin computers container > instead, and the > site admins don't have rights to that. > > How do we solve this? Is there some type of a script that we > need to be > using to do this? We don't want to use RIS. We want all our > remote sites > to be able to join computers to their OU at will. > > Thanks > > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > This e-mail is confidential, may contain proprietary > information of the > Cooper Cameron Corporation and its operating Divisions and may be > confidential or privileged. > > This e-mail should be read, copied, disseminated and/or used > only by the > addressee. If you have received this message in error please > delete it, > together with any attachments, from your system. > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > List info : http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > > > > List info : > http://www.activedir.org/mail_list.htm > List FAQ : http://www.activedir.org/list_faq.htm > List archive: > http://www.mail-archive.com/activedir%> 40mail.activedir.org/ > List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/