Then there's the little gripe of..... Publishing an Exchange attribute in MSDN and then UN-publishing it in "oops" style, after you find out you really really WANT to address this multi value attribute in a script, and not a one line GUI....... *SIGH*
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: 09 March 2004 09:30 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT: Exchange 2003 Hardening Guide Good god Rick, you are going to scare the crap out of everyone and I'm not going to be allowed near Redmond nor anywhere else.... I am going to wear a tag that says, Hi, my name is !joe.... Ok if you don't get that.... c humor. Although.... We now have a fun issue where the RUS is building address lists for us and a specific filter works perfectly fine on one RUS against one Admin Site but doesn't work on another RUS servicing two other Admin Sites... It isn't that it isn't building the lists, it is just ignoring the filters we have for the lists. Anyway, I intend to be very nice and very civil and generally well lubricated everywhere I go when I am out there. :o) If I speak with the Exchange guys at all it will be along the lines of.... AD is A Directory, it isn't YOUR directory. Oh, and "In order to call this enterprise ready and scalable, you have to be serious about command line tools and scripting - and not just from the command prompt of an Exchange Server.". Finally, something along the lines of "The fact that the Exchange admins aren't using the command line and scripts heavily is more a function of what the Exchange Dev Team has done than what the Exchange Admins' capabilities are". Oh wait another one... "Enough with the spaces in the DN's already.... Use command line tools once in a while to query your stuff in AD....". I never used LDP, until I had to start poking around in the config container looking at Exchange crap. Of course after this posting from you, I should expect snipers on the roof of SeaTac when I fly in and wondering why I will be getting that extra special attention when I get off the plane... If anyone asks I'm flying in on Monday the 5th.... Actually, I would like to have the main point of topic be.... Group Management, do we have the right groups we need to really do this stuff well and how exactly should this stuff be managed.... Personally I am looking for a group that is a cross between a universal group and domain localgroup - call it super duper group or the BAM group. You can put anyone you want in it, it can be used on any resource anywhere, but its membership isn't in every GC because we make it unnecessary by good cross partition backlinks for memberof. No more chasing across partitions looking for group memberships. If we have good cross partition backlinks, we don't need membership in the GCs for the groups. Also a user has to get back to a DC of their domain to authenticate anyway, all of the info should be there for his ID. Why have to go to a DC of your domain and then ALSO go to a GC to get some more stuff. Just inefficient I tell you. Oh and maybe hard links between AD/AM and AD. You don't replicate the data from the user object to AD/AM and then add to it. You have the specific App info in AD/AM and it references the user object in AD via GUID or whatever. Ditto in AD, a field that references additional info in AD/AM's. So if you pull a record for a user, you can say, grab additional data and it chases out to AD/AM(s) to get the extra stuff. Slows down the whole having to keep things in sync everywhere business which is rather a pain. Of course LDAP search rules and implementation of same gets a little interesting... joe ------------- http://www.joeware.net (download joeware) http://www.cafeshops.com/joewarenet (wear joeware) -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Wednesday, February 25, 2004 8:28 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] OT: Exchange 2003 Hardening Guide Given that we discuss a number of topics in this list, and that Exchange has taken its beatings at my hands, as well as joe's and many others - it's about time that there was some good news on the Exchange front. Microsoft has released - as of yesterday - a hardening guide for Exchange 2k3. Not that any of what they are saying is exactly revolutionary, or other than good common sense, but that the Exchange team, too, has gotten religion. This, coupled with the fact that I suspect that Redmond is beginning to build fortifications around the Exchange team offices, because they know Joe is coming. And, when Joe Richards gets there in April - the shit's going to hit the fan. I just HOPE I'm close enough to enjoy the action. :o) Finally, I can't take credit for coming up with this. Susan Bradley, spunky Small Business Server and Security maven that she is, turned me on to this. I'm just editorializing and passing it on to the good folks on this forum. Enjoy! This book guides you through the process of hardening your Exchange 2003 environment, including configuration recommendations and strategies for combating external threats. http://www.microsoft.com/downloads/details.aspx?familyid=6a80711f-e5c9-4aef- 9a44-504db09b9065 Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone WebLog - www.msmvps.com/willhack4food List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
