RE: [ActiveDir] AD Admin Software Tools?
Just using the default ones that come with Windows here. And a few scripts that I wrote myself. Mike From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Oliver RebollidoSent: Thursday, April 08, 2004 10:55 PMTo: [EMAIL PROTECTED]Subject: [ActiveDir] AD Admin Software Tools? I'm a new Exchange 2000 (soon to be 2003) administrator that also manages our Active Directory domain. What Active Directory admin software tools are most of you using? I plan on purchasing some software admin tools soon. Thanks in advance, Oliver --ATTENTIONThe information contained in this message may be legally privileged and confidential. It is intended to be read only by the individual or entity to whom it is addressed or by their designee. If the reader of this message is not the intended recipient, you are on notice that any distribution of this message, in any form, is strictly prohibited. If you have received this message in error, please immediately notify the sender and/or Fenwick West LLP by telephone at (650) 988-8500 and delete or destroy any copy of this message.==
RE: [ActiveDir] Join other DCs to an SBS2k or 2k3 domain?
There are a lot of people who wouldn't agree that SBS includes a lot of "crap"... Arguably, SBS includes a lot of value. Admittedly most people turn off more than they turn on with SBS, but if you even just use one of the ancillary products (Exchange, Sharepoint, SQL) in addition to the OS itself there's just no way you can beat the price for a small business... SBS is meant to be the 'be all, end all" for the small business server needs... For the market targeted by SBS,buying one server to run everything is much more cost effective even if you're only using half the features... Heck, even just plain Windows Server 2003 is more expensive than SBS Standard (assuming you don't need SQL) Joe Pochedley Weiler's Law - Nothing is impossible for the man who doesn't have to do it himself. From: Creamer, Mark [mailto:[EMAIL PROTECTED] Sent: Friday, April 09, 2004 8:51 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Join other DCs to an SBS2k or 2k3 domain? On a related rant, I completed a small network installation for a friends growing business last weekend. It was my first experience with Small Biz Server. Im amazed at the bulk of crap it includes. Seems like I turned off more features than I turned on. Several patches for SBS-specific bugs later, I finally have it stable. I will *never* recommend that behemoth againGive me plain vanilla Win2003 Server anytime. mc
RE: [ActiveDir] MS Audit Collection Service?
MACS runs pretty well and rather independent of MOM itself though. That should be made clear as well. Not that folks think it's useless unless you invest in MOM. You can use many other plattforms to add reporing and alerting capabilities to MACS as the MACS server has full subscriber API capabilities. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of E Brown Sent: Freitag, 9. April 2004 06:03 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS Audit Collection Service? Group, It will be release real soon. I can send you the whitepapers for it to get you some preliminary info. Just send me an email due to size limits it was rejected.s Make sure you get MOM for the management piece to tie everything together. But this will definitely be free. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, April 08, 2004 7:49 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] MS Audit Collection Service? http://www.microsoft.com/australia/servers/windowsserver/ioe/management. aspx Search that page for MACS. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Thursday, April 08, 2004 9:38 PM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] MS Audit Collection Service? Hi Eric, Thanks for the quick response! I searched quite a bit for it on Microsoft's site but couldn't locate anything. If you happen to find a link, it would be much appreciated. :-) Thanks again, - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Eric Fleischman wrote: I'm afraid you got some bad information. MACS (Microsoft Audit Collection Service) is not out at this point in time. There is some pre-release documentation up on Microsoft.com though. You should be able to find it if you search for MACS, but let me know if not and I'll dig it up again. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Robbie Foust Sent: Thursday, April 08, 2004 8:17 PM To: [EMAIL PROTECTED] Subject: [ActiveDir] MS Audit Collection Service? Hi, I'm trying to find the Microsoft Audit Collection Service. I had never heard of it until today. A Microsoft rep at the Security Summit I attended today said it was out and available on the Technet site, but I can't find it. It really irritates me when I find out about a product like this well after the thing has been designed tested. I'm already on several lists and I check news sites regularly. Is there a better way? Some secret newsletter I'm not subscribed to? :-) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] using dsacls.exe
Hey Ulf - I see you got home from the summit safely ;-) In your AD newsgrouppost which your referenced below you answered the following question Is there a comprehensive reference that identifies each permission required to perform a task ? Giving a user the "AddUser" permission is not enough. They also have to have the rights to add objects and child objects, etc etc...with Not that I'm aware off - the rights I don't know I set with the delegation wizard and run dsacls or look into the security tab. Just want to make sure that everyone is aware of the excellent Delegation Whitepaper, that's been available for a couple of months now: http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en And don't forget to download the Appendix for this whitepaper, which contains all the nitty gritty details on what's required to perform which task. /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-WeidnerSent: Donnerstag, 8. April 2004 17:10To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] using dsacls.exe Hello Bart, see the following post: http://groups.google.de/[EMAIL PROTECTED] Ulf B. Simon-Weidner From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Vermeire BartSent: Dienstag, 6. April 2004 06:43To: [EMAIL PROTECTED]Subject: [ActiveDir] using dsacls.exe Hi, I am struggling with the dsacls.exe tool and hope that someone in this list can answer me. I need to set permissions on an OU from a CMD line batch file and I am using dsacls.exe for that. However, setting the "Reset Password" extended right is one task I cannot accomplish. Can you please help me out here. regards, Bart Vermeire Volvo IT
RE: [ActiveDir] Unable to see users group membership in trusted domain
works as designed. Especially if you're using Domain Local Groups (DLG). But in 2003 you can even not see the UG memberships of other domains in ADUC. This will likely be fixed in SP1 as only GCs would have the potential to show UG-memberships from other domains anyways (a filter was added in 2003 so that only groups of own domain show up on the MemberOf tab of an object - in SP1 you're supposed to have a choice). Realize a non-GC DC doesn't know of the UG memberships of the other domains and neither a DC nor a GC will show you the DLG memberships of the other domains - as these are not replicated to the GC. And wait until you try to recover accidentally deleted users in your environment and recover them. Then not seeing the memberships will be the least of your worries = they'll actually be missing from the other groups... Read this whitepaper if you want to know more: http://www.aelita.com/library/whitepapers/10_Things_to_Know_about_Active _Directory_Recovery.pdf /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ole Thomsen Sent: Mittwoch, 7. April 2004 00:37 To: [EMAIL PROTECTED] Subject: [ActiveDir] Unable to see users group membership in trusted domain I have two AD domains, of which one is subdomain to the other. In the child domain, most users are members of a number of security groups in the parent domain. All was well until recently, but after raising the domain and forest level to 2003 i can no longer see the child domain users parent domain membership under the user property Member of. Furthermore, from this property sheet i cannot add the user to parent domain groups anymore. They are still members, everything works as expected, and i can add the users to groups from within the group property - but that is a hell of a job to cruise through the all groups everytime a user is created Please help :-) Ole Thomsen List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Consultants
just want to mention, that other companies to AD consulting as well ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Dienstag, 6. April 2004 15:35To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Consultants I highly recommend Dean as well.. Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 2:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Consultants http://www.msetechnology.com/ This is where Dean Wells works, they are out of Florida but go all over. You probably have seen Dean's posts on here. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Monday, April 05, 2004 2:14 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD Consultants Before I start just to let you know I checked with Tony before sending this to the list. Does anyone know anyone companies in the North Eastern US area that does AD consulting and design? My CIO would like to bring in a consulting company to help us out with a global AD design for our company. If anyone has any suggestions or needs more infomation please email OFF the list. Any and all help is appreciated. Mike
Re: [ActiveDir] Photos in Active Directory
Thats a good point and one I had not thought of (killing the DC's with large photos). Another suggestion, if you do want to keep a photo stored in AD, I would do like Guido suggested and restrict the attribute to the appropriate groups or whatever, and use some program to limit the size of the photo. I haven't really looked into this much. There is a program called Imagemagick (www.imagemagick.org) that will do some cool stuff (resizing, etc). - Robbie Robbie Foust, IT Analyst Systems and Core Services Duke University Grillenmeier, Guido wrote: WARNING: let's look at the security aspects of photos in AD from another side. You need to be aware that the photo attribute is editable by default by every user himself (just like all the other attributes which are part of the personal information property set). But the photo-attribute is somewhat special: it's a binary blob which basically has no size limit... (depends on LDAP policy max msg size). This means that if you don't lock down this attribute, every user could potentially upload really large images (think of a 1 GB image) to this attribute and kill your all your DCs anytime he'd like either through replication or simply growing the DIT-file over the limits of your disks. So even if you're not going to use this attribute to store photos, you should also ensure that nobody else does it for you. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jackson Shaw Sent: Dienstag, 6. April 2004 17:55 To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory I think the benefit is obvious - security. You may want to consider using Active Directory Application Mode or setting up an Application Partition in AD (assuming you are using W2K3). Either would enable you to isolate the data replication. Photos shouldn't change much so once you have done your initial replication there shouldn't really be any additional traffic to bear. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rutherford, Robert Sent: Tuesday, April 06, 2004 12:51 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Photos in Active Directory It all depends on how large your organisation is I guess, how many sites, WAN links, etc. I wouldn't really recommend it as you really want to keep your AD as small as possible for replication and performance reasons. What benefit will you get out of having users photo's in the user object? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: 05 April 2004 22:40 To: [EMAIL PROTECTED] Subject: [ActiveDir] Photos in Active Directory Hi all, We're in the middle of desiging our Active Directory (Server 2003) and our security group just came up with the idea that it would be great to include a photo of the user in each user object. I know this CAN be done but I'm looking for information that would tell me whether it SHOULD or SHOULD NOT be done. Any references anyone can think of or, better yet, personal experience with this? Thanks, Mike List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ The information transmitted is intended only for the person or entity to which it is addressed and may contain confidential and/or privileged material. Any use (including retransmission or copying) of this information by persons or entities other than the intended recipient is prohibited. If you are not the intended recipient of this transmission, please contact the sender and delete the material from any computer. The sender is not responsible for the completeness or accuracy of this communication as it has been transmitted over a public network. Any replies to this email may be monitored by the MCPS-PRS Alliance for quality control and other purposes. List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] AD Consultants
And at least one of those companies that does great AD consulting has folks everywhere. ;-) Brendan MoonHP Services - US Federal[EMAIL PROTECTED] From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, GuidoSent: Friday, April 09, 2004 1:51 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Consultants just want to mention, that other companies to AD consulting as well ;-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Myrick, Todd (NIH/CIT)Sent: Dienstag, 6. April 2004 15:35To: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Consultants I highly recommend Dean as well.. Todd From: joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 06, 2004 2:26 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] AD Consultants http://www.msetechnology.com/ This is where Dean Wells works, they are out of Florida but go all over. You probably have seen Dean's posts on here. joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Celone, MikeSent: Monday, April 05, 2004 2:14 PMTo: '[EMAIL PROTECTED]'Subject: [ActiveDir] AD Consultants Before I start just to let you know I checked with Tony before sending this to the list. Does anyone know anyone companies in the North Eastern US area that does AD consulting and design? My CIO would like to bring in a consulting company to help us out with a global AD design for our company. If anyone has any suggestions or needs more infomation please email OFF the list. Any and all help is appreciated. Mike