Oh this is probably going too far but.....
No, that three-day old stanky can I would call Exchange. It seems to be
necessary even though there are other things you can use but seems to
be the
most efficient and handy of the bunch, it just smells really bad when
you
have to use it and you always seem to cut yourself when opening it up
to
use. :o) Personally I use dry catfood, self contained, doesn't make a
huge
mess, good for the cat's teeth and doesn't stink up the house. It may
not be
the cat's favorite but it gets the cat what it needs. Sort of like
POP3/SMTP
Standards based email.
DCDIAG would probably be your Dr. Spock's book for cats.
The laxetone from the cat world (used to clean out the intestinal
track of
various collected debris) would be similar to oldcmp which blows away
old
computer accounts...
Adfind would be like saying here kitty kitty... Where is that d****
cat!?!
Unlock would be like when you accidently shut the cat in the closet
and you
discover it and have to let her out.
OK this is going down hill. The Exchange piece was fun... Can't think
of
anything for Universal Groups for Guido.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
Kirkpatrick
Sent: Sunday, May 16, 2004 9:43 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question)
So what you're saying is that the Deleted Objects container is sort of
like
a litter box, and you have to clean out the litter box occasionally?
If that's the case, then what in AD is like the smelly 3-day old can
of cat
food with the nasty crust on the top? DCDIAG?
-gil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 16, 2004 6:29 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question)
Wow I just reread this and thought.... I need to stop writing like
this or I
am going to be like Wook....
:o)
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Sunday, May 16, 2004 9:02 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] [OT] Cats & dogs (was A root dc question)
LOL!
You see, you have to groom cats like you groom Active Directory. If you
don't take care of the excess crap in AD it will barf on you, just
like a
cat will barf if you don't take off the excess fur with brushing.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Gil
Kirkpatrick
Sent: Saturday, May 15, 2004 11:57 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] Cats & dogs (was A root dc question)
Oh my, this has flamewar written all over it. Oil and water,
Palestinians
and Israelis, Microsoft zealots and Novell bigots, dog people and cat
people. This thread can go nowhere but downhill.
But what the heck, I'll give it a little shove.
Joe, I really have trouble putting "refined" and "yakking up a hair
ball" in
the same paragraph.
The way I see it, cats are a lot like mop heads. You can wash the
floor with
'em, but it's a lot easier if you stick a handle up their a** first.
-gil
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Daniel Gilbert
Sent: Saturday, May 15, 2004 8:20 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Cats treat humans like slaves, now a Dog, it knows how to greet you at
the
door after a rough day in the forest. Ever come home after a rough
day and
have the Cat greet you with anything other than distain?
Dan
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of joe
Sent: Saturday, May 15, 2004 11:10 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Cats rock. They play with you, you just don't usually realize that
they are
playing because they don't come up and drool on you. A dog is like
beer,
harsh and in your face. A cat is like wine, very smooth and gentle and
refined. I can leave the house for days and know the cat will be fine
and
won't have destroyed anything other than walking back and forth across
my
Zen garden on my computer desk.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 5:00 PM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Never liked cats much - what fun are they? At least a dog will play
with
you. I nearly whacked one with a paint roller whilst painting the front
porch a couple of years ago. The school drama department took it upon
themselves to paint a very nice recital hall (not auditorium/theater)
which
had white walls and a gloss varnish floor black. Since they destroyed
the
space, I'm trying to start a movement whereby anyone who does a show
in the
space is required to paint something on the walls.
--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
v: 773.534.0034 x135
f: 773.534.0035
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 11:46 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
I think he was apologizing for working on Novell... :oP
Personally I am sitting here posting because I am waiting for a second
coat
of paint to dry. Before I take off some masking tape and put my
furniture
back in place. And I must tell you, it is a joy to paint with white
paint
when you have a curious black cat. I have little white cat footprints
across
my kitchen floor now and a cat that is no longer all black. Ever see a
black
cat with a white nose and white pads, pretty funny. She sneezed paint
all
over my leg too.
As for the learning part, yes learn away. That is why some of us give
very
long winded drawn out responses in the first place. A lot of these
questions
could be answered with Yes,no,maybe, don't be stupid, or go hire
someone who
knows but the goal is to increase the knowledge base around Windows AD
so
that it gets run properly and less is ascertained to be Magic. A lot of
people think I give long responses because I like to talk (or write).
Actually it is because I like to hear others learn. The more everyone
learns
about this stuff, the better for all of us as we will all be watching
out
for the same things and beating vendors into doing things right. I
actually
had a recent near experience with a vendor that had previously
encountered
some knowledgeable AD guys at Cisco. When our people encountered them,
it
was like, wow, your stuff actually looks good! Saved some time and
headaches.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Brian Desmond
Sent: Thursday, May 13, 2004 11:14 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Finally, i want to apolgize again. i came from a Novell enviorment and
inherited my current AD set up and i'm afraid i'm using you as a
learning
tool to get deeper into AD internals and i want to apologize for
wasting
your time. I've read robbie allen's Active Directory and most of the
Distributed Sytems Guide of the Windows 2k resource kit and both while
excellent don't seem to answer all my questions esp, things like this
post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.
I'm not sure why you're apologizing for wanting to learn. I don't think
anyone who actively participates on this mailing list is here just to
shoot
the breeze & dick around, but rather to learn and share knowledge. So,
I say
fire away, I'll certainly jump in on a thread if it's something I know
about...
--Brian Desmond
[EMAIL PROTECTED]
Payton on the Web! Http://www.wpcp.org
v: 773.534.0034 x135
f: 773.534.0035
-----Original Message-----
From: Kern, Tom [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:36 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
1. i'm not really interested in hacking my AD, so i'm not asking for
that
bit of info. i just wonder why it exists and i'm sure googling it will
turn
up alot of "how to's", which makes me wonder why MS doesn't have a fix
for
it?
2. so aside from politics or the inability of corps to collaspe thier
NT
domain structure into OU's, you're saying there really is no reason for
multiple domains at all(or maybe to limit rep traffic of the domain
naming
context across the forest?)?
3. unfortunately our root domain is in Maryland and we are in New
York, so
we can't really be sitting next to each other.
Finally, i want to apolgize again. i came from a Novell enviorment and
inherited my current AD set up and i'm afraid i'm using you as a
learning
tool to get deeper into AD internals and i want to apologize for
wasting
your time. I've read robbie allen's Active Directory and most of the
Distributed Sytems Guide of the Windows 2k resource kit and both while
excellent don't seem to answer all my questions esp, things like this
post.
Perhaps you could just recommend a book or site?
thanks for your time, everyone.
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 9:49 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Anyone with rights to get to mess with any domain controller in a
forest can
compromise the forest, again a domain is not a security boundary.
Someone
may not have the knowledge which appears to be the case here (and I am
not
going to give that knowledge out), but it is possible just the same.
This falls in line with something I said earlier to another post...
Just
because someone doesn't know how to get around certain security
precautions
doesn't mean others don't. A domain controller is a very special
device on a
network, if compromised, you could have a forest wide issue.
The number of domain admins in a forest honestly should equal the
number of
enterprise admins in the forest. That number should be small. Less
than 10
at the largest. Less than 5 is much better. They should also all be
under
the same management chain and even better sit within walking distance
of
each other so everyone is on the same page.
I often hear.... that can't be done... Sure it can. I've done it in a
rather
large globally distributed company. The delegation model is very
strong in
AD, most people should have delegated rights. Just takes work.
joe
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Thursday, May 13, 2004 9:16 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
1. what do you mean by "an admin in any domain has the power of being
an
Entrprise admin"? i, being a domain admin of a child domain, do not
have the
power to put myself into the Enterprise admins group. A domain or
enterprise
admin in the root domain would have to do that for me.
Also, as a domain admin in a child domain, i'm kinda limited to the
damage i
could do to the forest, no?I mean, i could screw up my domain royally,
but i
can't really do anything to screw up the forest( and completly hosing
my
domain would only cause replication errors generated in event logs and
some
repointing of exchange servers to different GC's). i can't modify the
schema
or install an app that does it for me. i can't link a wrong headed GPO
to a
site or create one on the root or any other domain. i can't create a
site or
subnet.
And if a crashed and burned all my DC's wouldn't AD remove them
permantely
after 60 days?
I'm sorry to belabour the point here and waste your time, but i really
want
to make a good case for our IT dept to have enterprise admin access
and show
why multiple seperate domain admins for multiple domains is not a good
idea.
as well as further my knowldge of what can and can't be done and what
can
and can't be screwed up.
i'd like to convince everyone that playing nice is in our best
interest.
thanks, and again, i apologize for rehashing old posts.
-----Original Message-----
From: joe [mailto:[EMAIL PROTECTED]
Sent: Thursday, May 13, 2004 8:34 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] A root dc question
Wow this is like déjà vu, I swear we went through this whole thought
process
a month or two ago on here....
The quick summary (no I will not spout the whole thing, it should be
in the
archives) of what I recall
1. An admin in any domain has the power of being an Enterprise Admin,
domains ARE NOT security boundaries. Each child domain should not have
different admins because that can result in chaos and possible danger
to the
entire forest.
2. You can not do DR testing with just a child domain.
3. Either your corp IT has to be involved with your DR testing or you
should
redesign into multiple forests.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Kern, Tom
Sent: Wednesday, May 12, 2004 4:37 PM
To: ActiveDir (E-mail)
Subject: [ActiveDir] A root dc question
My apologies if this seems basic and/or silly.
Aside from creating new domains or modifying the schema, why would an
admin
need access to the root dc of a forest(the schema, domain namming
master)?
furthermore, why would an admin in a child domain need enterprise admin
privilges?
I only ask because we had issues with our test DR run wherein we
didn't have
access to the root domain and/or a test root domain vmware'd on a
laptop and
it ended miserably.
i am in the process of convincing the higher ups in my corp of letting
our
IT dept have enterpise admin access.
i'd like to make a case for us as to why we would need this accont with
concrete examples(aside from the DR one). ones that a semi tech aware
CIO
could relate to.
What other compelling reasons would one need these rights for in day to
day(or not so day to day) AD administration?
we are a multi-domain(14) win2k forest in mixed mode with exchange2k in
native mode.
Thank you in advance for any assitance.
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/mail_list.htm
List FAQ : http://www.activedir.org/list_faq.htm
List archive:
http://www.mail-archive.com/activedir%40mail.activedir.org/