I agree there are more medium companies than large ones. Couldn't be any
other way. However, I think the best practices are good for anyone as you
shouldn't depend on a single user for any given work unless the company is
tiny (like you know everyone and very little turnover). Especially if it
involves granting access to things. Small/Medium companies need to follow
good practices as much as or possibly even more than large companies simply
because they don't have the resources to bail them out when it gets screwed
up.
On the second statement, that is incorrect.
Here is a dump from my environment with two group managing each other. Only
the non-Security DL doesn't have the managedobjects backlink filled in.
[Mon 03/29/2004 8:17:26.66]
F:\DEV\cpp\OldCmp>adfind -default -f managedby=*
AdFind V01.12.00cpp Joe Richards ([EMAIL PROTECTED]) May 2003
Using server: 2k3dc01.joe.com
Base DN: DC=joe,DC=com
dn:CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>objectClass: top
>objectClass: group
>cn: TestOU-GroupTestOU-DL1
>distinguishedName:
CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040327224354.0Z
>whenChanged: 20040329003348.0Z
>uSNCreated: 130338
>uSNChanged: 134833
>name: TestOU-GroupTestOU-DL1
>objectGUID: {51D054EA-CD6D-4BD4-B619-1A1B3830BEE5}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1118
>sAMAccountName: TestOU-GroupTestOU-DL1
>sAMAccountType: 268435457
>managedBy:
CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>groupType: 8
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20040327224635.0Z
>dSCorePropagationData: 16010101000001.0Z
dn:CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>objectClass: top
>objectClass: group
>cn: TESTOU-GroupTestOU-GrpAdmin
>distinguishedName:
CN=TESTOU-GroupTestOU-GrpAdmin,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>instanceType: 4
>whenCreated: 20040327224440.0Z
>whenChanged: 20040329003101.0Z
>uSNCreated: 130343
>uSNChanged: 134814
>name: TESTOU-GroupTestOU-GrpAdmin
>objectGUID: {8700F729-8B9F-4BD0-BAB9-60BB1B99A1E9}
>objectSid: S-1-5-21-1862701446-4008382571-2198042679-1119
>sAMAccountName: TESTOU-GroupTestOU-GrpAdmin
>sAMAccountType: 536870912
>managedBy: CN=NormalUser,CN=Users,DC=joe,DC=com
>managedObjects:
CN=TestOU-GroupTestOU-DL1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com
>groupType: -2147483644
>objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=joe,DC=com
>dSCorePropagationData: 20040327224635.0Z
>dSCorePropagationData: 16010101000001.0Z
2 Objects returned
[Mon 03/29/2004 8:18:49.97]
F:\DEV\cpp\OldCmp>
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Sunday, March 28, 2004 10:23 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 DL
Joe, I do basically agree with you on this, however it is not so uncommon
for medium sized companies (of which there simply are more of than really
large ones), to allow just the owner of a group to change membership. For
these companies this feature is rather handy, as you don't need to take care
of creating another group to manage a group...
The mechanism can't be used to allow granting the rights for a group to
manage a group, since group objects don't have the managedObjects backlink,
which is required to allow to set the managedBy attribute on an object in
AD. So you can just use a single users or contact.
/Guido
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Montag, 29. März 2004 02:38
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 DL
I was actually pretty unhappy when I saw this functionality. You should
almost NEVER place single users on ACLs. MS themselves tell people this is a
best practice, use groups... Then they make it easy to do.
At least allow people to select security groups to be placed in that
attribute... You can place groups in it if you use scripts... The larger the
company the less likely you will be wanting single users listed as who can
manage any one group.
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of GRILLENMEIER,GUIDO
(HP-Germany,ex1)
Sent: Sunday, March 28, 2004 7:16 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 DL
if you're running E2k3 in a Win2003 AD, you might want to use the ManagedBy
attribute of the group afterall: 2003 has a new function in ADUC, which
simplifies setting the permissions for managing group-memberships for the
user defined as the manager of a group.
You just have to select the new option "Allow Manager of group to change
membership" on the same tab in ADUC, which automatically grants "Write
Members" for the User Object on the respective Group object.
The obvious downside here is, that you can only use this for a single user
object who is defined to be the manager of the group - you can't use this
approach to assign the permissions for multiple users or for a group that
contains all your users who should be granted the specific permissions...
But if you only have 1 delegated user for managing the group memberships,
this may still be a valid option.
/Guido
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Samstag, 27. März 2004 23:55
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Exchange 2003 DL
They need WP (Write Property) on the member attribute of the group.
Assuming the following
OU: GroupTestOU
Delegated Admin Group: joe\TestOU-GroupTestOU-GrpAdmin
You can use the following DSACLS command on the OU to delegate the ability
to change membership to all groups within the OU.
dsacls OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:S /G
joe\TestOU-GroupTestOU-GrpAdmin:WP;member;group
Note I highly recommend doing the delegation on the OUs versus on individual
groups as it tends to be easier to track down later.
If you wanted it on one specific group the command would be like
dsacls cn=testou-grouptestou-dl1,OU=GroupTestOU,OU=TestOU,DC=joe,DC=com /I:P
/G joe\TestOU-GroupTestOU-GrpAdmin:WP;member;
Note that if you have multiple domains and especially GCs from multiple
domains in the site with the Exchange Servers you will almost certainly run
into issues modifying group memberships through Outlook. It is all FUBAR
right now and being looked at to be corrected - look for previous posts from
me in the archives concerning the issues. If you have a single domain
deployment you will be fine.
If you have multiple domains, I don't even recommend using Outlook to do the
management. Use the Find Person dialogs or use ADUC or a custom web site.
joe
-------------
http://www.joeware.net (download joeware)
http://www.cafeshops.com/joewarenet (wear joeware)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Thursday, March 25, 2004 12:18 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] Exchange 2003 DL
I have a issue here that I am struggling with. On Exchange 5.5, I was able
to add people to be able to modify the membership of DL through outlook
without them having to be the Manager or owner of the DL.
Now that I am on Exchange 2003, what permissions do groups or user accounts
need to have in order to modify the groups through outlook?
Justin A. Salandra, MCSE
Senior Network Engineer
Catholic Healthcare System
212.752.7300 - office
917.455.0110 - cell
[EMAIL PROTECTED]
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
