|
Hi Joe, Usually I can follow what
you are saying, but now you have lost me. You don't use global groups. So what
_do_ you use, and why? U->L? Why is that any better? Or do you get by with
DL only ? -- Regards, Willem (confused…) Van:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens joe I have gotten A LOT of offline responses
to this post. I am concerned at the responses however... I am getting several responses of
"well you were allowed to set it up right" or "your management
is helping you" etc... Folks, management isn't helping with much
at all. My direct supervisor backs me almost 100%. He realizes he pays me to be
the one who knows the right thing to do and is close enough technically to have
an understanding of the things that I am trying to protect us from. Above that,
my management is on the bad side of clueless and I fight with them just as much
as I fight with management from other teams and or divisions, etc. Our group is
for some reason under the Exchange Manager which means that anything that is
Exchange is supposed to automatically go through. I don't go this way because
usually the requests never have an answer to the question why. Not doing what
they ask puts me in an argument with my manager's manager and that seems to be
a pretty constant state of being with both good weeks and bad weeks. We have been told to rerun Forest
Prep and Domain Prep in the past because someone couldn't install
something and they busted there heads on it for a week. PSS Alliance
actually said hmm with that error.... Rerun Forest and Domain Prep, don't
worry it won't change anything....... Right off the bat... :o) ....IF it won't
change anything, how the heck is it going to fix anything? My next response
was, how did you troubleshoot this? Followed by... and where is the network
trace showing the problem? So I get them to do the
simple network trace (hehe) and it showed that the issue was that the DC
Exchange chose to use for its work wasn't in WINS [1] . Exchange was getting
the fully qualified name in its initial query, chopping the name down to just
the short host name, and trying to resolve it against WINS... And it couldn't
find what it needed to and threw a really bad error. Bug thankyouverymuch. I
could have easily run Forest Prep and Domain Prep but there was no way I was
going to, they couldn't explain why it was needed. Running those processes
would have fixed nothing and would have wasted my time and would have set a bad
precedent of just doing what was told even though the answer to the question WHY
was no where to be found. That isn't the only example I have with
the Exchange stuff, I have 7+ months of examples. I have to say though that now
Michigan has a couple of the best Exchange MCS guys in existence I
think, every time they came to me they had to know what they were talking
about. I would smile when I would go into the lab and see them hunched over
netmon swearing or on the phone with someone at PSS saying, umm no it doesn't
work that way and we can prove it. The fun I had with these guys and watching
them learn more and more almost has me considering going to work for MS even
though it probably means a serious pay cut. I would like to go into other
situations with them though and see what they learned and how it helps them
solve new problems that much quicker. Plus they are good guys trying to do the
right thing and will fight for it as much as they can - I respect that.
Matt/John, my hat's off to you. Outside of that I argue with every single
team that comes to us telling us we have to change to suit them. If they have a
good change, bam they can easily win the argument because they know what they
are talking about, have looked at the alternatives and it makes corporate wide
sense and bam it gets handled. However change done quickly and for small things
(i.e. not global everyone needs it) is generally bad. The people thinking up
the changes are almost always looking out only for what they need and don't
have any understanding whatsoever of the rest of the world and what needs to be
in place for them. That is why you have an AD team so they can see the big
picture and protect the infrastructure. No one consumer should ever drive you
to just start changing things unless it makes sense for everyone. This means
that the AD team should be off on its own, it shouldn't be reporting to the
management chain of ONE of the consumers of the services provided. It shouldn't
be under the file and print people, it shouldn't be under the exchange people,
it shouldn't be under the storage people, the web hosting people, the TS
people, it should, in my opinion, be under Security and should have a huge
stick. AD's primary responsibility is the stable consistent and correct
authentication and authorization of users. Everything else is secondary. If AD
falls down on those first two, nothing else is worth a thing. Once you get past
those first two, make it manageable by a small core group because not many
people should have the ability to get in and do things with domain controllers.
3-4 people for 400-500 DC's is great. If you have a couple of hot automation
developers that front end them, you can have the perfect setup. If you have 15
domain controllers in one domain and 10 Domain Admins, you have a huge issue.
Either admins who really aren't, or people with far too many rights. My favorite story right now and the one
that has me on the absolute edge of being released from my contract as I type
this is that we have a manager of the storage group who has a big issue
with EMC Celerras not really working right. They say they are like Windows
servers only better. Heh, yeah. Any EMC people on this list, fix your shit, and
I don't believe your 100 day line anymore either. Any way, ONE way to fix ONE
of their many outstanding problems is to use a Global Group. There are other
ways to fix this problem and our standard is not to use global groups and we
have some outstanding reasons for it [2]. The manager however is mad that he is
told no so keeps pushing it and I say no harder. His whole argument is that he
has a team that will support something globally and he will have people around
the globe doing it so they need a global group.... Of course this makes no sense. However he
feels he has been wronged because he was told no and now in order to get his
way he starts to question the entire group strategy worldwide and question
whether we know what we are talking about because he is concerned about the
future direction and etc etc. This is of course all insane and completely out
of range of the problem and at this point he doesn't even care about his
problem, he was told no. He goes so far to send an email to Microsoft to
question whether we know what we are doing or not. All of this from someone in a group doing
storage on *nix based giant disk drives because the product doesn't work right.
Note further that this is a guy without technical Windows knowledge and his
work exists far outside the realm of the Windows Admins. He wants what he wants
and will stomp on anyone in his way to get it, whether what he wants makes any sense
or if it is even harmful (as it actually is). I said no. He is my manager's
manager's manager's peer. They are buddies up at that top level. I am currently
wondering if I will be around a month from now, but I will not allow
someone to do something stupid so I can keep my job supporting that stupid
solution. Again, I don't want to manage a shitty environment, so I am not going
to allow shit to happen. These are just a couple of examples. I
have been on the edge of packing a box so many times I keep boxes under my
desk. It will not be with the greatest happiness that I would leave but it
wouldn't be the worst thing either. You have to stand up for what is right and
as you can see, no one is just "letting" us do all of this stuff the
right way; we fight for it because it is the right thing to do. If you see
something wrong in your company and you don't fight it and publicize that it is
wrong, you are just as at fault as the people who put it there or told someone
to put it there. If someone wants to do something in a
really bad way and jeapardize the technical infrastructure, I will call them
out on it. They need to prove why it is needed and why it can't be handled in
some other way. If they can't I won't do it and either management will be
forced to stand behind me or forced to let me go. I will say I am
"lucky" if you can call it that in that I have a great track record
on being right and a lot of people know things run correcly because of me and
there aren't a lot of people that can make things run like I do. Also, and
more importantly in my eyes, is that have a lot of respect from people because
everyone knows I will do this equally to anyone coming to me, I don't pick
favorites and I don't play the political game. I was told to build and support
a best in class environment, I will do whatever I feel it takes to do so; that
is the job I accepted. More people have to be knowledgeable and stand up in
this same way. If only a few people here and there do it, not much will improve
unless the individual can really pull it off. If everyone starts standing up
for the right thing, maybe things can get better overall. I do realize some people are in
positions where they can't question the status quo or the stupid things being
done due to family obligations, poor conditions otherwise, etc. If you fall in
this category that is absolutely fine and I understand, right up until you
start to complain that your environment sucks. If you don't try to fix it, you
can't complain. Don't sit off in the back room or at lunch or wherever and
moan and complain where it does no good. You either make the best of it or you
work to fix it. joe [1] Due to our WINS architecture, none of
our remote Domain Controllers are listed in the main WINS records that
replicate around; they only exits on the local WINS Server / Domain
Controller - think large distributed company and you will understand many
reasons why. [2] We don't use global groups
because they SUCK in a large multimaster environment. The UGL Model is
horrendous when you are talking tens of thousands of groups with resources
spread across the multiple domains. There is a ton of waste and a ton of
confusion and not to mention auditing where and how that group is being used is
pretty much impossible. Universal groups still have the same auditing issue but
at least you get away from UGL but with W2K you had some serious issues with
replication traffic and of course you don't need all of that info everywhere.
Additionally once you start placing people in UNI groups that aren't from their
home domain your GCs start having to go everywhere so you can get all of your
memberships. Otherwise you can have inconsistencies in access rights which
would throw local support people over the edge. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Define manage. What specifically do they need to do to
the DCs? How many DCs do you have? I'm curious. I have just under 400 domain
controllers with 2 guys doing full time admin work from one place in the world
(with me getting sucked into silly design meetings with people who can't spell
Windows) and we don't let anyone else log into our DCs. I'm just wondering if
we are doing amazing things or we just aren't doing the job right. If we are doing amazing things I will be
that much closer to writing the book Robbie keeps kicking me about. :oP I'm being serious about wanting to
understand. thanks, joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kaluza, Mike Has
anyone got an answer to the Protected Groups inheritance problem Our
Windows 2000 servers are running service pack 4. Which as I understand means
that the Server Operators group has now become a Protected Group. We have Site
Administrators who are members of the Server Operators group because they need
to manage the DC in there site. Problem
is they have no control over there site admin account. If you delegate
permissions to them or a group the account belongs to these permissions are
removed within the hour due to the SD Propagator thread running and removing
the permissions based on ADminSDHolder. I
thought I found an answer to the problem. Which suggests changing the value of
adminCount on the effect groups and user accounts. I understand that the SD
Propagator thread checks the value of adminCount and if set to 1 removes any
inherited permissions. I
tried this and it did not work. Does
anyone know if this method does work or is there an alternative. We don't want
ADminSDHolder to inherit permissions - MS don't recommend this. We just want
Server Operators to inherit permissions (directly or indirectly). Regards
Mike
"This transmission is strictly confidential and intended
solely for the addressee. It may contain information which is covered by legal,
professional or other privilege. If you are not the intended addressee, you
must not disclose, copy or take any action in reliance on this transmission. If
you have received this transmission in error, please notify us as soon as
possible." |
Title: AD Protected groups
- [ActiveDir] AD Protected groups Kaluza, Mike
- RE: [ActiveDir] AD Protected grou... joe
- RE: [ActiveDir] AD Protected ... joe
- RE: [ActiveDir] AD Protec... Willem Kasdorp
- RE: [ActiveDir] AD Protected grou... GRILLENMEIER,GUIDO (HP-Germany,ex1)
- RE: [ActiveDir] AD Protected grou... Thommes, Michael M.
- RE: [ActiveDir] AD Protected grou... Rich Milburn
- RE: [ActiveDir] AD Protected ... deji Agba
