RE: [ActiveDir] ldp in ADAM-SP1

[Grillenmeier, Guido]

well, do as you should always do to ensure that your systems are
maintainable: keep it simple! 
Don't introduce extra complexity if you don't require it. For AD ACLing
this means, don't introduce roles and permissions for users, if you do
not need that role - there is certainly no need to implement all the
roles that are described in the delegation whitepaper to maintain a
stable AD infrastructure. 

most ACLing issues that I have come across was in companies that granted
their delegated admins the rights to create OUs underneath their
location specific OU - soon afterwards they had an AD structure with OUs
and permissions that looked like a badly managed file-server...

so the issue is not so much setting ACLs in AD (which as discussed can
be a complex task to do right, depending on your needs), but more
controlling who is allowed to set ACLs. This should be done centrally by
domain and/or enterprise admins. As a rule of thumb you should not grant
any non-domain or enterprise admin the rights to create OUs and also
limit the rights to create any other objects (especially groups) to very
few delegated admins. Less critical is delegating the ability to manage
existing objects (e.g. to reset PW of user, mail-enable users and
groups, change membership of groups, etc). I also consider the rights to
create computer objects as low risk (which is usually required by local
desktop admins in branch offices). 

/Guido

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, July 25, 2006 9:18 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Thanks to Al and Guido for your further input. Even though it may seem
pretty obvious, I would like to know of any horror stories due to AD
ACL'ing if possible. The reason is Al's comments have made me take a
much more cautious approach to ACL'ing. I get the feeling that even
though the granular feature is there, if there arent enoug people with
the correct skill level available to maintain it, then it shouldnt be
pursued. I hope I can get that skill and that is one fo the goals
here. But I may not be here all the time.

So any stories from anyone ?

M@

On 7/25/06, Al Mulnick <[EMAIL PROTECTED]> wrote:
>
> I wholeheartedly applaud the effort being put into this.  That said, I
urge
> you to reconsider your administrative model and favor as much
simplicity as
> is possible.  Why?  Because the best laid plans of mice and architects
and
> all that.
>
> "The tricky bit is the matching a trusted and
> appropriately skilled person to the relevant role."
>
> That makes me laugh and cringe at the same time.  Yes, it is very
difficult
> to find that "perfect match" but at the same time I think a design
should
> take that into account where possible. That's a design philosophy and
I
> won't debate that for this thread.  But I would caution you that any
design
> that has the people intricately relied upon is going to have a failure
point
> at some point when you least can tolerate it.
>
> While you can use the command line tools as much as possible, as joe
and
> Guido both pointed out, consider rolling your own scripts if you
absolutely
> cannot do what you *need* to do at the GUI. But remember you can
really
> really really^^ hurt yourself with security permissions.  Believe me,
it can
> be ugly and it can be the undoing.
>
> Two thoughts consider as you walk through the design:
> 1) You should never try to solve wetware issues with software or
hardware.
> 2) Complexity is the anti-security.
>
> Best of luck.
>
>
>
> On 7/25/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> > Wow,
> >
> > Thanks you so much for the detailed info guys. Basically my goal is
> > quite simple. At least it is in my head. What I want to do, is to go
> > through the entire case study given in the AD delegation whitepaper,
> > and do all of that permissions configuration entirely at command
line
> > (where possible). I am willing to use the delegation wizard to some
> > extent, but as I am configuring quite a lot of permissions for an AD
> > design I am involved in, I would rather avoid having to use GUI
tools
> > for this.
> >
> > You see, I am going to end up as been a very privileged service
> > administrator and data administrator once my proposed AD design
model
> > is in place. I expect I will be making some endeavour to train
> > sufficiently capable people in doing this. But I dont plan to spoon
> > feed. I want the guys to know to a decent level ACL'ing and if not,
do
> > their research. At least on an adhoc basis. Then once they
understand
> > whats involved, they can go ahead and add/modify/delete ACE's ,
revoke
> > perms, define new roles etc...
> >
> > Reading this delegation doc has made me believe I can configure an
> > extremely secure delegation model where each role can be given just
> > enough to do that role. The tricky bit is the matching a trusted and
> > appropriately skilled person t

RE: [ActiveDir] Enumerating Group type and Mebership...

[Marcus.Oh]

Dsquery group –limit 0| dsget
group –members

 

I think that works (not near AD env).

 

 

Adfind –b  -f (objectcategory=group) cn
members

 

Something like that… 

 



:m:dsm:cci:mvp |
marcusoh.blogspot.com



 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Ken Schaefer
Sent: Tuesday, July 25, 2006 8:48 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 

Hi,

 

Try these (if you don’t get any better answers from the gurus):

 

For just groups and their membership (batch file)

 

dsquery group > all-groups.txt
for /f "tokens=1* delims=}" %a in (all-groups.txt) do @(echo GROUP:%a
& dsget group %a -members) >> group-members.txt

 

For groups, type and membership (vbs file):

 

' To output to a text file use:

' cscript //nologo test.vbs > filename.txt

 

Option Explicit

 

Dim objConn   '
ADODB.Connection

Dim objCommand    ' ADODB.Command

Dim objRS '
ADODB.Recordset

Dim objRootDSE    ' RootDSE

Dim objGroup  ' AD Group

Dim strDNSDomain  ' String

Dim strQuery  ' String

Dim strDN '
String

 

 

' Bind to the Root Container

Set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

 

' Create our Command Object

Set objCommand = CreateObject("ADODB.Command")

Set objCommand.ActiveConnection = objConn

 

 

' Determine the DNS domain from the RootDSE object.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

 

' Search for all groups, return the Distinguished Name of each.

strQuery = ";(objectClass=group);distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

 

Set objRS = objCommand.Execute

If objRS.EOF Then

  Wscript.Echo "No groups found"

  objConn.Close

  Set objRootDSE = Nothing

  Set objConn = Nothing

  Set objCommand = Nothing

  Set objRS = Nothing

  Wscript.Quit

End If

 

' Enumerate all groups, bind to each, and document group
members.

Do Until objRS.EOF

  strDN = objRS.Fields("distinguishedName")

  Set objGroup = GetObject("LDAP://" & strDN)

  'Wscript.Echo objGroup.sAMAccountName & "
(" & GetType(objGroup.groupType) & ")"

  'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or
objGroup.GroupType = 8 then

 Wscript.Echo objGroup.sAMAccountName
& " (" & GetType(objGroup.groupType) & ")"

 Call GetMembers(objGroup)

  'End If

  objRS.MoveNext

Loop

 

' Clean up.

objConn.Close

Set objRootDSE = Nothing

Set objGroup = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

 

Function GetType(intType)

' Function to determine group type from the GroupType attribute.

  If (intType And &h01) <> 0 Then

    GetType = "Built-in"

  ElseIf (intType And &h02) <> 0 Then

    GetType = "Global"

  ElseIf (intType And &h04) <> 0 Then

    GetType = "Local"

  ElseIf (intType And &h08) <> 0 Then

    GetType = "Universal"

  End If

  If (intType And &h8000) <> 0 Then

    GetType = GetType & "/Security"

  Else

    GetType = GetType &
"/Distribution"

  End If

End Function

 

Sub GetMembers(objADObject)

' Subroutine to document group membership.

' Members can be users or groups.

  Dim objMember, strType

  For Each objMember In objADObject.Members

    If UCase(Left(objMember.objectCategory, 8)) =
"CN=GROUP" Then

  strType = "Group"

    Else

  strType = "User"

    End If

    Wscript.Echo "   Member:
" & objMember.sAMAccountName _

  & " (" &
strType & ")"

  Next

  WScript.Echo ""

  Set objMember = Nothing

End Sub

 

Cheers
Ken

 



--

My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed Sydney: learn all about IIS 7.0 - See you there!



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Wednesday, 26 July 2006 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 

We’re medium size – and yes someone does want a current outdated
list J - 

Just trying to make it happen…. 

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...



 

You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 



On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]> wrote:







I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





F

Re: [ActiveDir] Managing Third-Party Users

[Joe Kaplan]

Laura, I'm with you on voting for some sort of SAML protocol support.  I'm 
pretty sure that there will be a boom in WS-Federation usage in the field 
now that ADFS is out, simply due to the fact that AD has significant market 
share, ADFS is really cheap compared to most offerings, and it is pretty 
easy to get up and running with no code.


Still, there will be plenty of SAML protocol implementations out there, and 
being able to interop with them would be nice.  At this point, we are 
looking at implementing a whole other separate product just to get this as 
we are sure we'll need it for some scenarios.


I'd even be happy with some sort of middleware or add-on module or 
something, but I'd really like to manage just one trust policy and deploy 
one infrastructure.


Joe
- Original Message - 
From: "Laura A. Robinson" <[EMAIL PROTECTED]>

To: 
Sent: Tuesday, July 25, 2006 2:48 PM
Subject: RE: [ActiveDir] Managing Third-Party Users


ADFS, at this time, is able to consume SAML 1.1 tokens. It does not,
however, fully support either the SAML 1.1 or 2.0 specifications. ADFS does
not currently construct SAML 1.1 or 2.0 tokens, does not support the rest of
the SAML specifications and does not support consumption of SAML 2.0 tokens.

Having said that, I have been having many discussions with the ADFS product
group on this one for some time and would welcome any input from this list's
participants regarding their thoughts on the subject of whether or not SAML
support is important in ADFS. If you would prefer to e-mail me your thoughts
off-list, please feel free to do so. This is going to wreck my stealth-mode
perusal of this list, but you can send your thoughts to
[EMAIL PROTECTED] and I will collect the feedback and pass it on to Don
Schmidt, with whom I've had a running dialog on this subject for some months
now.

With all that said, any opinions I express are mine and mine alone, do not
reflect the opinions of my employer, etc., yada, yada, yada. :-)

Thanks,

Laura


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Tuesday, July 25, 2006 3:30 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Managing Third-Party Users

As far as I know, it's partners accessing our resources.
Regarding ADFS, I thought it supported SAML 1.1?

:m:dsm:cci:mvp | marcusoh.blogspot.com


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Monday, July 24, 2006 9:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

There are a bunch of products in this space.  The two primary
protocols to be concerned about are SAML and WS-Federation.
ADFS is WS-Federation only.
Some other products are SAML only and some support both.

A lot of what you want to do depends on your scenarios.  Do
you just want to let your users access partner applications
or do you plan to let your partners access your applications?
 Maybe you need to do both?

Joe K.
- Original Message -
From: <[EMAIL PROTECTED]>
To: 
Sent: Monday, July 24, 2006 3:50 PM
Subject: RE: [ActiveDir] Managing Third-Party Users


Thanks for your take on it, Joe.  I'm finding the same thing
when it comes
to the ideology.  It's not baked in very well yet... so
trying to make a
judgment on strategy is a bit difficult.  :)  I think I'll
start looking
down what Microsoft offers... problem is I'm not even sure what the
competitors are ...

:m:dsm:cci:mvp | marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, July 22, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

Federation is the way of the future in these scenarios.  I'm
spending about
50% of my time at work these days helping to build out our federation
infrastructure and imagine that we'll be using it extensively.  We are
already doing some type of federation thing with over 30
vendor-hosted apps
internally (benefits, travel, surveys, etc.).  However, none of these
implemenations are currently using any of the standard
federation protocols
(SAML, WS-Fed) and suffer from expensive implementations, no
reusability
between implementations and dubious security.

We are also looking at hosting some services internally for
clients and
partners and using federation as a way to allow them to
authenticate with
their own credentials.

The big challenges right now are that with both SAML and WS-Fed as the
dominate protocols out there (and WS-Fed much further behind
in terms of
adoption rates, but gaining due to the popularity of AD and
the low cost of
ADFS compared to many solutions), it is hard to say you only
want to do
ADFS/WS-Fed.  Our approach is to try to support both for the
"outbound"
scenario, where our users are accessing a partner resource,
although we are
still trying to pick a SAML 2 product yet.  We'll probably be
more 

RE: [ActiveDir] Enumerating Group type and Mebership...

[Ken Schaefer]

Hi,

 

Try these (if you don’t get any better answers from the
gurus):

 

For just groups and their membership (batch file)

 

dsquery group > all-groups.txt
for /f "tokens=1* delims=}" %a in (all-groups.txt) do @(echo GROUP:%a
& dsget group %a -members) >> group-members.txt

 

For groups, type and membership (vbs file):

 

' To output to a text file use:

' cscript //nologo test.vbs > filename.txt

 

Option Explicit

 

Dim objConn   '
ADODB.Connection

Dim objCommand    ' ADODB.Command

Dim objRS '
ADODB.Recordset

Dim objRootDSE    ' RootDSE

Dim objGroup  ' AD Group

Dim strDNSDomain  ' String

Dim strQuery  ' String

Dim strDN '
String

 

 

' Bind to the Root Container

Set objConn = CreateObject("ADODB.Connection")

objConn.Provider = "ADsDSOObject"

objConn.Open "Active Directory Provider"

 

' Create our Command Object

Set objCommand = CreateObject("ADODB.Command")

Set objCommand.ActiveConnection = objConn

 

 

' Determine the DNS domain from the RootDSE object.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")

 

' Search for all groups, return the Distinguished Name of each.

strQuery = ";(objectClass=group);distinguishedName;subtree"

objCommand.CommandText = strQuery

objCommand.Properties("Page Size") = 100

objCommand.Properties("Timeout") = 30

objCommand.Properties("Cache Results") = False

 

Set objRS = objCommand.Execute

If objRS.EOF Then

  Wscript.Echo "No groups found"

  objConn.Close

  Set objRootDSE = Nothing

  Set objConn = Nothing

  Set objCommand = Nothing

  Set objRS = Nothing

  Wscript.Quit

End If

 

' Enumerate all groups, bind to each, and document group
members.

Do Until objRS.EOF

  strDN = objRS.Fields("distinguishedName")

  Set objGroup = GetObject("LDAP://" & strDN)

  'Wscript.Echo objGroup.sAMAccountName & "
(" & GetType(objGroup.groupType) & ")"

  'If objGroup.GroupType = 2 or objGroup.GroupType = 4 or
objGroup.GroupType = 8 then

 Wscript.Echo objGroup.sAMAccountName
& " (" & GetType(objGroup.groupType) & ")"

 Call GetMembers(objGroup)

  'End If

  objRS.MoveNext

Loop

 

' Clean up.

objConn.Close

Set objRootDSE = Nothing

Set objGroup = Nothing

Set objConn = Nothing

Set objCommand = Nothing

Set objRS = Nothing

 

Function GetType(intType)

' Function to determine group type from the GroupType attribute.

  If (intType And &h01) <> 0 Then

    GetType = "Built-in"

  ElseIf (intType And &h02) <> 0 Then

    GetType = "Global"

  ElseIf (intType And &h04) <> 0 Then

    GetType = "Local"

  ElseIf (intType And &h08) <> 0 Then

    GetType = "Universal"

  End If

  If (intType And &h8000) <> 0 Then

    GetType = GetType & "/Security"

  Else

    GetType = GetType &
"/Distribution"

  End If

End Function

 

Sub GetMembers(objADObject)

' Subroutine to document group membership.

' Members can be users or groups.

  Dim objMember, strType

  For Each objMember In objADObject.Members

    If UCase(Left(objMember.objectCategory, 8)) =
"CN=GROUP" Then

  strType = "Group"

    Else

  strType = "User"

    End If

    Wscript.Echo "   Member:
" & objMember.sAMAccountName _

  & " (" &
strType & ")"

  Next

  WScript.Echo ""

  Set objMember = Nothing

End Sub

 

Cheers
Ken

 



--

My IIS Blog: www.adOpenStatic.com/cs/blogs/ken

Tech.Ed Sydney: learn all about IIS 7.0 - See you there!



 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Mike Hogenauer
Sent: Wednesday, 26 July 2006 7:12 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 

We’re medium size – and yes someone does want a
current outdated list J - 

Just trying to make it happen…. 

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...



 

You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 



On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]> wrote:







I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM






To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Enumerating Group type and
Mebership...









 



What is "everything [you]
need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 2

RE: [ActiveDir] Enumerating Group type and Mebership...

[WATSON, BEN]

Ugh, this sounds exactly like the SOX audit
our company is currently going through.  People asking for reports and
screenshots of things they simply don’t understand.  It’s a joy.

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:54
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir]
Enumerating Group type and Mebership...



 

Getting a list of groups
is easy... getting it all enumerated will be a bit more complex, though not
terribly so.

The ADUC allows you to create queries and list all security groups.  You
can then export this list to a file.  Once you have the file, you need to
import that list into Excel (pretty easy), then run a _vbscript_ against with
LDAP or ADSI scripting in it (or something like that) to enumerate group
members.  If they want nested members also, then you've got a lot more
complex issue, but I would just state that it's not practical and let him work
with the current list. 

Hopefully the resulting gargantuan file will be enough to make anyone choke and
stop making rediculous requests that they don't understand the futility
of.  Enumerating 10k groups simply so that you can toss the list out later
that week because it's just going to get more and more out of date is worse
than silly, it's a waste of company effort (and money).  Make it too easy
for him to generate that report and soon he'll be wanting to see what items
they have access to in the environment, so you'll end up enumerating out all
files and shares and rights assignments on computers. 






On 7/25/06, Mike
Hogenauer <[EMAIL PROTECTED]>
wrote:







We're medium size – and yes someone does want a current
outdated list J - 

Just trying to make it happen…. 

 



From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02
PM






To: ActiveDir@mail.activedir.org





Subject: Re:
[ActiveDir] Enumerating Group type and Mebership...







 

You either have a small environment or someone wants a
document that will be completely outdated 12 minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 



On
7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:







I need all Security Groups and Distribution groups – and
their members 

 

Thanks Laura!

 





From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00
PM






To: ActiveDir@mail.activedir.org






Subject: RE: [ActiveDir] Enumerating Group
type and Mebership...









 



What is "everything [you] need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]] On
Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49
PM
To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] Enumerating
Group type and Mebership...

All, 

 

I'm
trying to enumerate all groups in my AD environment. I need to get Group name
group type and group members for each group… 

 

I've
tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I
tried (below) but It still doesn't seem to pull back everything I need- Any
help would be great! In a perfect world - J -  I need a list of all
security groups and distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f
c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f
c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 











 











 

Re: [ActiveDir] Enumerating Group type and Mebership...

[Matt Hargraves]

Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so.The ADUC allows you to create queries and list all security groups.  You can then export this list to a file.  Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members.  If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list.
Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of.  Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money).  Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers.
On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:














We're medium size – and yes someone does want a current outdated
list J - 

Just trying to make it happen…. 

 



From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Enumerating Group type and Mebership...



 

You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 





On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]>
wrote:







I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From: 
[EMAIL PROTECTED]
[mailto: 
[EMAIL PROTECTED]]
On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM






To: ActiveDir@mail.activedir.org






Subject: RE: [ActiveDir] Enumerating Group type and
Mebership...









 



What is "everything [you]
need", specifically?





 





Thanks,





 





Laura






 







From: 
[EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED]]
On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org

Subject: [ActiveDir] Enumerating Group type and Mebership...

All, 

 

I'm trying to enumerate all groups in my AD environment. I need to get Group
name group type and group members for each group… 

 

I've tried some sample _vbscript_s from 
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I tried (below) but It still doesn't seem to pull back everything I
need- Any help would be great! In a perfect world - J -  I need a list of all security groups and
distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r
"(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r
"(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 











 

RE: [ActiveDir] Enumerating Group type and Mebership...

[Mike Hogenauer]

We’re medium size – and yes someone does want a current outdated
list J - 

Just trying to make it happen…. 

 



From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 2:02 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Enumerating Group type and Mebership...



 

You either have a small
environment or someone wants a document that will be completely outdated 12
minutes after it's compiled.

Though just to be honest, I'd love to be able to click on a '+' on groups and
show their members and continue to follow the '+' if there is nesting. 
That would be an awesome feature in the ADUC.  Maybe I should submit that
feature request to Quest and Microsoft. 





On 7/25/06, Mike Hogenauer
<[EMAIL PROTECTED]>
wrote:







I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From: [EMAIL PROTECTED]
[mailto: [EMAIL PROTECTED]]
On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM






To: ActiveDir@mail.activedir.org





Subject: RE: [ActiveDir] Enumerating Group type and
Mebership...









 



What is "everything [you]
need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]
On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...

All, 

 

I'm trying to enumerate all groups in my AD environment. I need to get Group
name group type and group members for each group… 

 

I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I tried (below) but It still doesn't seem to pull back everything I
need- Any help would be great! In a perfect world - J -  I need a list of all security groups and
distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r
"(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r
"(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 











 

Re: [ActiveDir] Enumerating Group type and Mebership...

[Matt Hargraves]

You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled.Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting.  That would be an awesome feature in the ADUC.  Maybe I should submit that feature request to Quest and Microsoft.
On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:














I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From:
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED]] On
Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM
To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 



What is "everything [you] need", specifically?





 





Thanks,





 





Laura






 







From: 
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] 
On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...

All, 

 

I'm trying to enumerate all groups in my AD environment. I
need to get Group name group type and group members for each group… 

 

I've tried some sample _vbscript_s from 
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I tried (below) but It still doesn't seem to pull back
everything I need- Any help would be great! In a perfect world - J -  I need a list of all security
groups and distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 

RE: [ActiveDir] Reset home page via GPO

[Larry Wahlers]

Thanks, Darren! That did the trick for us.

-- 
Larry Wahlers
 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Darren Mar-Elia
> Sent: Tuesday, July 25, 2006 2:23 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Reset home page via GPO
> 
> Sigh. I truly wish MS would either fix IE maintenance policy 
> or just kill it
> because its just the buggiest piece of  around.
> Larry, try enabling the following policy on all computers 
> that receive the
> home page policy--Computer Configuration\Admin Templates\System\Group
> Policy\IE Maintenance Policy Processing\Process even if the 
> GP objects have
> not changed.
> 
> Give that a go (it may require a couple of logons to trigger) 
> and see if
> that helps. This is described at
> http://support.microsoft.com/kb/306915/en-us, though I'm not 
> sure why the KB
> article tells you to tweak the registry directly, since they provide a
> policy for that very purpose...
> 
> Darren
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Test Environments

[WATSON, BEN]

Those were my thoughts as well on the
issue and I’ve had to tell several people not to expect production-like
uptime.  I really couldn’t think of a better way to provide a test
environment and there’s no way I’m going to build multiple
environments like this.  Even though it’s a test environment, it often
requires more of my time to maintain than the production environment.

 

I may tell people to create their own
development environment as Jonathan suggested and allow testing to be performed
when they feel their app has outgrown a development environment of their own
creation.

 

Thanks guys, it’s good to know I’m
on track here.

 

~Ben

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matt Hargraves
Sent: Tuesday, July 25, 2006 12:04
PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Test
Environments



 

It sounds like you have a
good test environment.  The only problem is that people may be scheduling
their testing a little too tightly.  They need to understand that this is
a *TEST* environment.  That means it's in a constant state of relative
flux and that at any point in time, it could possibly go down for an hour or
even possibly a day or two.  It will largely be available, but it's not
production and they shouldn't be expecting to receive the level of support and
uptime that they receive in the production environment.  If they expect
that, they need to find a way to test outside your test environment.  If
their schedules are slipping because of the availability of the test
environment, then they're not putting enough extra time into their plans and
need to start consulting you before deciding when to test and how much time
it's going to take. 

It may sound like I'm being harsh on them, but it sounds like they are really
expecting too much from a test environment and that's because there isn't
enough consulting occuring.  It really sounds like you need to possibly
make a "Testing calendar" so that everyone (or maybe even just you)
have a list of applications that are being tested in the environment and when
schema updates and other items which can affect multiple tests that are ongoing
occur, the relevant persons can be notified so if they need to reschedule their
testing or adjust their testing schedule, they can. 





On 7/25/06, WATSON,
BEN <[EMAIL PROTECTED]>
wrote:







I
was hoping to get some input from some of you to better understand how you
handle the design of test environments for application testing.  For
example, I built a so-called "Offnet" which is a duplicate of our
production domain.  We have a couple domain controllers restored from tape
backup, we have Exchange running, and various other production services using
the same domain name and hostnames providing for a very production-like test
environment.  As time progressed, other production servers duplicated
themselves into this test environment and we now have quite a number of people
doing the majority of their testing in this environment.  Unfortunately,
as more and more people have begun to use this environment for testing, we have
found that people are beginning to step on each others toes.  For
instance, I used this test environment to walk through the domain upgrade to
2003 and when there was some downtime other people were unable to do their own
testing.

 

So
I was curious, how do you handle providing a working test environment for
people that need it?  At this point, we are trying to determine a better
way for people to do their testing away from production.

 

Thanks,

~Ben









 

RE: [ActiveDir] Managing Third-Party Users

[Marcus.Oh]

:D

Honestly, I don't know if it's important or not.  I guess if I ran into a 
situation where most partners used a SAML compliant product, then I'd say, 
yes... definitely add it in because I'd like to keep things w/ the same vendor 
on my side.  Otherwise, if most software vendors are moving towards adopting 
WS-Federation, then it wouldn't be so important.  Ah well... it's all new to me.

:m:dsm:cci:mvp | marcusoh.blogspot.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 3:49 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Managing Third-Party Users

ADFS, at this time, is able to consume SAML 1.1 tokens. It does not,
however, fully support either the SAML 1.1 or 2.0 specifications. ADFS does
not currently construct SAML 1.1 or 2.0 tokens, does not support the rest of
the SAML specifications and does not support consumption of SAML 2.0 tokens.

Having said that, I have been having many discussions with the ADFS product
group on this one for some time and would welcome any input from this list's
participants regarding their thoughts on the subject of whether or not SAML
support is important in ADFS. If you would prefer to e-mail me your thoughts
off-list, please feel free to do so. This is going to wreck my stealth-mode
perusal of this list, but you can send your thoughts to
[EMAIL PROTECTED] and I will collect the feedback and pass it on to Don
Schmidt, with whom I've had a running dialog on this subject for some months
now.

With all that said, any opinions I express are mine and mine alone, do not
reflect the opinions of my employer, etc., yada, yada, yada. :-)

Thanks,

Laura

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Tuesday, July 25, 2006 3:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Managing Third-Party Users
> 
> As far as I know, it's partners accessing our resources.  
> Regarding ADFS, I thought it supported SAML 1.1?
> 
> :m:dsm:cci:mvp | marcusoh.blogspot.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
> Sent: Monday, July 24, 2006 9:51 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Managing Third-Party Users
> 
> There are a bunch of products in this space.  The two primary 
> protocols to be concerned about are SAML and WS-Federation.  
> ADFS is WS-Federation only. 
> Some other products are SAML only and some support both.
> 
> A lot of what you want to do depends on your scenarios.  Do 
> you just want to let your users access partner applications 
> or do you plan to let your partners access your applications? 
>  Maybe you need to do both?
> 
> Joe K.
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, July 24, 2006 3:50 PM
> Subject: RE: [ActiveDir] Managing Third-Party Users
> 
> 
> Thanks for your take on it, Joe.  I'm finding the same thing 
> when it comes 
> to the ideology.  It's not baked in very well yet... so 
> trying to make a 
> judgment on strategy is a bit difficult.  :)  I think I'll 
> start looking 
> down what Microsoft offers... problem is I'm not even sure what the 
> competitors are ...
> 
> :m:dsm:cci:mvp | marcusoh.blogspot.com
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
> Sent: Saturday, July 22, 2006 3:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Managing Third-Party Users
> 
> Federation is the way of the future in these scenarios.  I'm 
> spending about
> 50% of my time at work these days helping to build out our federation
> infrastructure and imagine that we'll be using it extensively.  We are
> already doing some type of federation thing with over 30 
> vendor-hosted apps
> internally (benefits, travel, surveys, etc.).  However, none of these
> implemenations are currently using any of the standard 
> federation protocols
> (SAML, WS-Fed) and suffer from expensive implementations, no 
> reusability
> between implementations and dubious security.
> 
> We are also looking at hosting some services internally for 
> clients and
> partners and using federation as a way to allow them to 
> authenticate with
> their own credentials.
> 
> The big challenges right now are that with both SAML and WS-Fed as the
> dominate protocols out there (and WS-Fed much further behind 
> in terms of
> adoption rates, but gaining due to the popularity of AD and 
> the low cost of
> ADFS compared to many solutions), it is hard to say you only 
> want to do
> ADFS/WS-Fed.  Our approach is to try to support both for the 
> "outbound"
> scenario, where our users are accessing a partner resource, 
> although we are
> still trying to pick a SAML 2 product yet.  We'll probably be 
> more picky
> about WS-Fed for the opposite scenario as our guys like to use Windows
> to

RE: [ActiveDir] Test Environments

[Jonathan Meyer]

Most places I've worked we had three seperate 
environments
 
1) Development
2) Testing
3) Production
 
The development environment would basically be as Matt has 
described.  (No real change control here, and usually each person would be 
responsible for setting up the environment for their specific testing 
needs)
 
Testing mirrors the production environment (There could be 
a week or so of change delay between testing and production.  Mainly for 
hotfix testing and major software releases.  The difference is change 
control would work the same as production)
 
Production is well production.  
 
 


From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Matt 
HargravesSent: Tuesday, July 25, 2006 3:04 PMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Test 
Environments
It sounds like you have a good test environment.  The only 
problem is that people may be scheduling their testing a little too 
tightly.  They need to understand that this is a *TEST* environment.  
That means it's in a constant state of relative flux and that at any point in 
time, it could possibly go down for an hour or even possibly a day or two.  
It will largely be available, but it's not production and they shouldn't be 
expecting to receive the level of support and uptime that they receive in the 
production environment.  If they expect that, they need to find a way to 
test outside your test environment.  If their schedules are slipping 
because of the availability of the test environment, then they're not putting 
enough extra time into their plans and need to start consulting you before 
deciding when to test and how much time it's going to take. It may sound 
like I'm being harsh on them, but it sounds like they are really expecting too 
much from a test environment and that's because there isn't enough consulting 
occuring.  It really sounds like you need to possibly make a "Testing 
calendar" so that everyone (or maybe even just you) have a list of applications 
that are being tested in the environment and when schema updates and other items 
which can affect multiple tests that are ongoing occur, the relevant persons can 
be notified so if they need to reschedule their testing or adjust their testing 
schedule, they can. 
On 7/25/06, WATSON, 
BEN <[EMAIL PROTECTED]> 
wrote:

  
  
  
  I 
  was hoping to get some input from some of you to better understand how you 
  handle the design of test environments for application testing.  For 
  example, I built a so-called "Offnet" which is a duplicate of our production 
  domain.  We have a couple domain controllers restored from tape backup, 
  we have Exchange running, and various other production services using the same 
  domain name and hostnames providing for a very production-like test 
  environment.  As time progressed, other production servers duplicated 
  themselves into this test environment and we now have quite a number of people 
  doing the majority of their testing in this environment.  Unfortunately, 
  as more and more people have begun to use this environment for testing, we 
  have found that people are beginning to step on each others toes.  For 
  instance, I used this test environment to walk through the domain upgrade to 
  2003 and when there was some downtime other people were unable to do their own 
  testing.
   
  So I was curious, how do you 
  handle providing a working test environment for people that need it?  At 
  this point, we are trying to determine a better way for people to do their 
  testing away from production.
   
  Thanks,
  ~Ben

RE: [ActiveDir] Enumerating Group type and Mebership...

[Mike Hogenauer]

I need all Security Groups and Distribution
groups – and their members 

 

Thanks Laura!

 





From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Laura A. Robinson
Sent: Tuesday, July 25, 2006 12:00 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Enumerating Group type and Mebership...





 



What is "everything [you] need", specifically?





 





Thanks,





 





Laura





 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Mike Hogenauer
Sent: Tuesday, July 25, 2006 2:49 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Enumerating Group type and Mebership...

All, 

 

I’m trying to enumerate all groups in my AD environment. I
need to get Group name group type and group members for each group… 

 

I’ve tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I tried (below) but It still doesn’t seem to pull back
everything I need- Any help would be great! In a perfect world - J -  I need a list of all security
groups and distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 

RE: [ActiveDir] Managing Third-Party Users

[Laura A. Robinson]

ADFS, at this time, is able to consume SAML 1.1 tokens. It does not,
however, fully support either the SAML 1.1 or 2.0 specifications. ADFS does
not currently construct SAML 1.1 or 2.0 tokens, does not support the rest of
the SAML specifications and does not support consumption of SAML 2.0 tokens.

Having said that, I have been having many discussions with the ADFS product
group on this one for some time and would welcome any input from this list's
participants regarding their thoughts on the subject of whether or not SAML
support is important in ADFS. If you would prefer to e-mail me your thoughts
off-list, please feel free to do so. This is going to wreck my stealth-mode
perusal of this list, but you can send your thoughts to
[EMAIL PROTECTED] and I will collect the feedback and pass it on to Don
Schmidt, with whom I've had a running dialog on this subject for some months
now.

With all that said, any opinions I express are mine and mine alone, do not
reflect the opinions of my employer, etc., yada, yada, yada. :-)

Thanks,

Laura

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> [EMAIL PROTECTED]
> Sent: Tuesday, July 25, 2006 3:30 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Managing Third-Party Users
> 
> As far as I know, it's partners accessing our resources.  
> Regarding ADFS, I thought it supported SAML 1.1?
> 
> :m:dsm:cci:mvp | marcusoh.blogspot.com
> 
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
> Sent: Monday, July 24, 2006 9:51 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Managing Third-Party Users
> 
> There are a bunch of products in this space.  The two primary 
> protocols to be concerned about are SAML and WS-Federation.  
> ADFS is WS-Federation only. 
> Some other products are SAML only and some support both.
> 
> A lot of what you want to do depends on your scenarios.  Do 
> you just want to let your users access partner applications 
> or do you plan to let your partners access your applications? 
>  Maybe you need to do both?
> 
> Joe K.
> - Original Message -
> From: <[EMAIL PROTECTED]>
> To: 
> Sent: Monday, July 24, 2006 3:50 PM
> Subject: RE: [ActiveDir] Managing Third-Party Users
> 
> 
> Thanks for your take on it, Joe.  I'm finding the same thing 
> when it comes 
> to the ideology.  It's not baked in very well yet... so 
> trying to make a 
> judgment on strategy is a bit difficult.  :)  I think I'll 
> start looking 
> down what Microsoft offers... problem is I'm not even sure what the 
> competitors are ...
> 
> :m:dsm:cci:mvp | marcusoh.blogspot.com
> 
> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
> Sent: Saturday, July 22, 2006 3:43 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Managing Third-Party Users
> 
> Federation is the way of the future in these scenarios.  I'm 
> spending about
> 50% of my time at work these days helping to build out our federation
> infrastructure and imagine that we'll be using it extensively.  We are
> already doing some type of federation thing with over 30 
> vendor-hosted apps
> internally (benefits, travel, surveys, etc.).  However, none of these
> implemenations are currently using any of the standard 
> federation protocols
> (SAML, WS-Fed) and suffer from expensive implementations, no 
> reusability
> between implementations and dubious security.
> 
> We are also looking at hosting some services internally for 
> clients and
> partners and using federation as a way to allow them to 
> authenticate with
> their own credentials.
> 
> The big challenges right now are that with both SAML and WS-Fed as the
> dominate protocols out there (and WS-Fed much further behind 
> in terms of
> adoption rates, but gaining due to the popularity of AD and 
> the low cost of
> ADFS compared to many solutions), it is hard to say you only 
> want to do
> ADFS/WS-Fed.  Our approach is to try to support both for the 
> "outbound"
> scenario, where our users are accessing a partner resource, 
> although we are
> still trying to pick a SAML 2 product yet.  We'll probably be 
> more picky
> about WS-Fed for the opposite scenario as our guys like to use Windows
> token-based websites (like SharePoint) for custom dev and 
> only ADFS has a
> really flexible solution for supporting this.
> 
> The big challenges are that right now, things are still pretty "early
> adopter", so it is hard to find a lot of partners that are 
> ready to go with
> their infrastructure.  There isn't much expertise out there with these
> products yet either, so people are stumbling quite a bit.  In 
> our "inbound"
> scenario, we are looking at needing to set up an alternate 
> account store to
> host the accounts of partners who aren't "federation-capable" 
> yet, so that's
> a drag.  I'm not sure the team building that app has realized 
> yet 

Re: [ActiveDir] Enumerating Group type and Mebership...

[mike kline]

Give Joe's adfind a spin,  there is a good article here that may help too (nice adfind examples)
 
http://blogs.brnets.com/michael/archive/2004/06/24/168.aspx
 
 
On 7/25/06, Mike Hogenauer <[EMAIL PROTECTED]> wrote:




All, 
 
I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group… 
 
I've tried some sample _vbscript_s from 
http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx 
 
Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J -  I need a list of all security groups and distribution groups and their members 

Thanks,
Mike 
 
Enumerate Security Groups and Member in Domain
 
csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" -j c:\tmp

 
 
Enumerate Distribution Groups and Member in Domain
 
csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" -j c:\tmp
 
 

RE: [ActiveDir] Managing Third-Party Users

[Marcus.Oh]

As far as I know, it's partners accessing our resources.  Regarding ADFS, I 
thought it supported SAML 1.1?

:m:dsm:cci:mvp | marcusoh.blogspot.com


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Monday, July 24, 2006 9:51 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

There are a bunch of products in this space.  The two primary protocols to 
be concerned about are SAML and WS-Federation.  ADFS is WS-Federation only. 
Some other products are SAML only and some support both.

A lot of what you want to do depends on your scenarios.  Do you just want to 
let your users access partner applications or do you plan to let your 
partners access your applications?  Maybe you need to do both?

Joe K.
- Original Message - 
From: <[EMAIL PROTECTED]>
To: 
Sent: Monday, July 24, 2006 3:50 PM
Subject: RE: [ActiveDir] Managing Third-Party Users


Thanks for your take on it, Joe.  I'm finding the same thing when it comes 
to the ideology.  It's not baked in very well yet... so trying to make a 
judgment on strategy is a bit difficult.  :)  I think I'll start looking 
down what Microsoft offers... problem is I'm not even sure what the 
competitors are ...

:m:dsm:cci:mvp | marcusoh.blogspot.com

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
Sent: Saturday, July 22, 2006 3:43 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Managing Third-Party Users

Federation is the way of the future in these scenarios.  I'm spending about
50% of my time at work these days helping to build out our federation
infrastructure and imagine that we'll be using it extensively.  We are
already doing some type of federation thing with over 30 vendor-hosted apps
internally (benefits, travel, surveys, etc.).  However, none of these
implemenations are currently using any of the standard federation protocols
(SAML, WS-Fed) and suffer from expensive implementations, no reusability
between implementations and dubious security.

We are also looking at hosting some services internally for clients and
partners and using federation as a way to allow them to authenticate with
their own credentials.

The big challenges right now are that with both SAML and WS-Fed as the
dominate protocols out there (and WS-Fed much further behind in terms of
adoption rates, but gaining due to the popularity of AD and the low cost of
ADFS compared to many solutions), it is hard to say you only want to do
ADFS/WS-Fed.  Our approach is to try to support both for the "outbound"
scenario, where our users are accessing a partner resource, although we are
still trying to pick a SAML 2 product yet.  We'll probably be more picky
about WS-Fed for the opposite scenario as our guys like to use Windows
token-based websites (like SharePoint) for custom dev and only ADFS has a
really flexible solution for supporting this.

The big challenges are that right now, things are still pretty "early
adopter", so it is hard to find a lot of partners that are ready to go with
their infrastructure.  There isn't much expertise out there with these
products yet either, so people are stumbling quite a bit.  In our "inbound"
scenario, we are looking at needing to set up an alternate account store to
host the accounts of partners who aren't "federation-capable" yet, so that's
a drag.  I'm not sure the team building that app has realized yet that the
cost and complexity of the identity and access management work for that
account store will likely outstrip the cost of dev and maintenance on the
app itself by an order of magnitude.  They aren't I&AM people, so they are
just realizing that users of the store will need features like password
change, password reset and password expiration notifications.  BTW, we are
using ADAM for the account store and setting it up as a separate federation
account partner.

Another thing worth noting is that we already have a well-established
process for provisioning accounts for external users and contractors in the
corp forest and we'll continue to use that in scenarios where it is
appropriate.  However, we'll try to do as little as possible of that sort of
thing when simple access to a few web apps is all that's needed.

All in all though, I'm pretty excited about the technology, especially ADFS.
It combines my three favorite tech things, I&AM, web programming and .NET,
so what's not to love?  :)


Joe K.
- Original Message - 
From: [EMAIL PROTECTED]
To: ActiveDir@mail.activedir.org
Sent: Saturday, July 22, 2006 12:05 PM
Subject: [ActiveDir] Managing Third-Party Users


My trusted directory resource,

I don't remember if this came up on a previous post. but don't recall seeing
the topic.  As things become more and more integrated w/ some form of ldap
authentication against a common directory, the necessity for managing
outside vendors, contractors, etc is becoming a larger and larger task. 

RE: [ActiveDir] Reset home page via GPO

[Darren Mar-Elia]

Sigh. I truly wish MS would either fix IE maintenance policy or just kill it
because its just the buggiest piece of  around.
Larry, try enabling the following policy on all computers that receive the
home page policy--Computer Configuration\Admin Templates\System\Group
Policy\IE Maintenance Policy Processing\Process even if the GP objects have
not changed.

Give that a go (it may require a couple of logons to trigger) and see if
that helps. This is described at
http://support.microsoft.com/kb/306915/en-us, though I'm not sure why the KB
article tells you to tweak the registry directly, since they provide a
policy for that very purpose...

Darren

Darren Mar-Elia
For comprehensive Windows Group Policy Information, check out
www.gpoguy.com-- the best source for GPO FAQs, video training, tools and
whitepapers. Also check out the Windows Group Policy Guide, the definitive
resource for Group Policy information.
 


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Larry Wahlers
Sent: Tuesday, July 25, 2006 12:04 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Reset home page via GPO

David Adner wrote:
> 
> > This IE setting can be applied via "policy mode" or "preferences 
> > mode".
> > Policy mode is what you normally think of when configuring GPO 
> > settings in that it'll be reset if a user ever changes it.  
> > Preferences
> mode only
> > changes the initial value but allows the user to change it 
> > afterwards if they like without having it switch back each time GPOs 
> > are applied.
> > Instead, it is only reset if the GPO itself is modified.

I hate to beat this dead horse, but the client wants the "policy mode"
enabled. I did that on the DC, did the gpupdate /force, but it's not
working. Folks who change the forced IE home page to be their own custom one
can reboot their computers, log in, and they still get their custom home
page, not the GPO forced home page.

Now, I linked the GPO to an OU that has OU's beneath it, one for users, one
for admins, one for groups, etc. Group Policy Results Wizard shows that the
GPO is a winning GPO, but the actual results are, it is not being enforced.

What am I missing here? How can I enforce this GPO so that every time a
person logs in, they get the GPO-forced home page?

Thanks, folks!

--
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Re: [ActiveDir] ldp in ADAM-SP1

[Matheesha Weerasinghe]

Thanks to Al and Guido for your further input. Even though it may seem
pretty obvious, I would like to know of any horror stories due to AD
ACL'ing if possible. The reason is Al's comments have made me take a
much more cautious approach to ACL'ing. I get the feeling that even
though the granular feature is there, if there arent enoug people with
the correct skill level available to maintain it, then it shouldnt be
pursued. I hope I can get that skill and that is one fo the goals
here. But I may not be here all the time.

So any stories from anyone ?

M@

On 7/25/06, Al Mulnick <[EMAIL PROTECTED]> wrote:


I wholeheartedly applaud the effort being put into this.  That said, I urge
you to reconsider your administrative model and favor as much simplicity as
is possible.  Why?  Because the best laid plans of mice and architects and
all that.

"The tricky bit is the matching a trusted and
appropriately skilled person to the relevant role."

That makes me laugh and cringe at the same time.  Yes, it is very difficult
to find that "perfect match" but at the same time I think a design should
take that into account where possible. That's a design philosophy and I
won't debate that for this thread.  But I would caution you that any design
that has the people intricately relied upon is going to have a failure point
at some point when you least can tolerate it.

While you can use the command line tools as much as possible, as joe and
Guido both pointed out, consider rolling your own scripts if you absolutely
cannot do what you *need* to do at the GUI. But remember you can really
really really^^ hurt yourself with security permissions.  Believe me, it can
be ugly and it can be the undoing.

Two thoughts consider as you walk through the design:
1) You should never try to solve wetware issues with software or hardware.
2) Complexity is the anti-security.

Best of luck.



On 7/25/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
> Wow,
>
> Thanks you so much for the detailed info guys. Basically my goal is
> quite simple. At least it is in my head. What I want to do, is to go
> through the entire case study given in the AD delegation whitepaper,
> and do all of that permissions configuration entirely at command line
> (where possible). I am willing to use the delegation wizard to some
> extent, but as I am configuring quite a lot of permissions for an AD
> design I am involved in, I would rather avoid having to use GUI tools
> for this.
>
> You see, I am going to end up as been a very privileged service
> administrator and data administrator once my proposed AD design model
> is in place. I expect I will be making some endeavour to train
> sufficiently capable people in doing this. But I dont plan to spoon
> feed. I want the guys to know to a decent level ACL'ing and if not, do
> their research. At least on an adhoc basis. Then once they understand
> whats involved, they can go ahead and add/modify/delete ACE's , revoke
> perms, define new roles etc...
>
> Reading this delegation doc has made me believe I can configure an
> extremely secure delegation model where each role can be given just
> enough to do that role. The tricky bit is the matching a trusted and
> appropriately skilled person to the relevant role.
>
> So you see, as there is a lot involved and this is a big
> infrastructure to attempt to administer perms for 20,000 users plus
> many OUs used to organise users based on the business unit (at least a
> dozen in each geographical hub) they work in and the site (we have
> more than a 40 geographical hubs and 1000 satellite sites) they are
> located at. Different levels of data admin roles. I would like to get
> this right to a large extent from the moment go. Admittedly it may not
> be big as in Fortune 5 ADs. But its the biggest I've had the privilege
> to design and support.
>
> I figured if I test this using the case study as a lab, I will get a
> good feel of whats involved in my lower level design. I am getting a
> little miffed when I have to swap between several tools to do what I
> need to do. There is just so many buts and ifs. "You can do this but
> you cant do this.  To do this use this. For this use that. And then
> try this. If all else fails script "
>
> I admit I was ranting a bit when asking why is this named and like
> such and the discrepencies in the docs and syntax help of command line
> tools. My sincere apologies for been anal.
>
> Is it too much to ask, to have at the very least a reliable command
> line or GUI tool (ldp) to configure perms just the way I want and
> need? Actually I don care even if I have to use a series of command
> line apps. I dont care how complex it is/willbe right now. I just want
> something that works. And I want the tool from MSFT. For free ;0)
>
> Please!
>
> Cheers
>
> M@
>
>
> P.S. thanks once again for reading, for escalating, for laughing, for
> educating , the kind words, hugs
> Control-H,Control-H,Control-H,Control-H,Control-H, etc...
>
>
>
> O

Re: [ActiveDir] Test Environments

[Matt Hargraves]

It sounds like you have a good test environment.  The only problem is that people may be scheduling their testing a little too tightly.  They need to understand that this is a *TEST* environment.  That means it's in a constant state of relative flux and that at any point in time, it could possibly go down for an hour or even possibly a day or two.  It will largely be available, but it's not production and they shouldn't be expecting to receive the level of support and uptime that they receive in the production environment.  If they expect that, they need to find a way to test outside your test environment.  If their schedules are slipping because of the availability of the test environment, then they're not putting enough extra time into their plans and need to start consulting you before deciding when to test and how much time it's going to take.
It may sound like I'm being harsh on them, but it sounds like they are really expecting too much from a test environment and that's because there isn't enough consulting occuring.  It really sounds like you need to possibly make a "Testing calendar" so that everyone (or maybe even just you) have a list of applications that are being tested in the environment and when schema updates and other items which can affect multiple tests that are ongoing occur, the relevant persons can be notified so if they need to reschedule their testing or adjust their testing schedule, they can.
On 7/25/06, WATSON, BEN <[EMAIL PROTECTED]> wrote:













I was hoping to get some input from some of you to better
understand how you handle the design of test environments for application
testing.  For example, I built a so-called "Offnet" which is a
duplicate of our production domain.  We have a couple domain controllers
restored from tape backup, we have Exchange running, and various other
production services using the same domain name and hostnames providing for a
very production-like test environment.  As time progressed, other production
servers duplicated themselves into this test environment and we now have quite
a number of people doing the majority of their testing in this
environment.  Unfortunately, as more and more people have begun to use
this environment for testing, we have found that people are beginning to step
on each others toes.  For instance, I used this test environment to walk
through the domain upgrade to 2003 and when there was some downtime other
people were unable to do their own testing.

 

So I was curious, how do you handle providing a working test
environment for people that need it?  At this point, we are trying to
determine a better way for people to do their testing away from production.

 

Thanks,

~Ben

RE: [ActiveDir] Reset home page via GPO

[Larry Wahlers]

David Adner wrote:
> 
> > This IE setting can be applied via "policy mode" or 
> > "preferences mode".
> > Policy mode is what you normally think of when configuring 
> > GPO settings in
> > that it'll be reset if a user ever changes it.  Preferences 
> mode only
> > changes the initial value but allows the user to change it 
> > afterwards if
> > they like without having it switch back each time GPOs are applied.
> > Instead, it is only reset if the GPO itself is modified.

I hate to beat this dead horse, but the client wants the "policy mode"
enabled. I did that on the DC, did the gpupdate /force, but it's not
working. Folks who change the forced IE home page to be their own custom
one can reboot their computers, log in, and they still get their custom
home page, not the GPO forced home page.

Now, I linked the GPO to an OU that has OU's beneath it, one for users,
one for admins, one for groups, etc. Group Policy Results Wizard shows
that the GPO is a winning GPO, but the actual results are, it is not
being enforced.

What am I missing here? How can I enforce this GPO so that every time a
person logs in, they get the GPO-forced home page?

Thanks, folks!

-- 
Larry Wahlers
Concordia Technologies
The Lutheran Church - Missouri Synod
mailto:[EMAIL PROTECTED]
direct office line: (314) 996-1876
List info   : http://www.activedir.org/List.aspx
List FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

RE: [ActiveDir] Enumerating Group type and Mebership...

[Laura A. Robinson]

What 
is "everything [you] need", specifically?
 
Thanks,
 
Laura

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Mike 
  HogenauerSent: Tuesday, July 25, 2006 2:49 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Enumerating Group 
  type and Mebership...
  
  
  All, 
   
  I’m trying to enumerate all groups in my AD environment. I 
  need to get Group name group type and group members for each group… 
  
   
  I’ve tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx 
  
   
  Then I tried (below) but It still doesn’t seem to pull back 
  everything I need- Any help would be great! In a perfect world - J -  I need a list of all security 
  groups and distribution groups and their members 
  Thanks,
  Mike 
   
  Enumerate Security Groups and Member in 
  Domain
   
  csvde -f c:\tmp\SecurityGroups.csv -p subtree -l 
  cn,mail,member  -r 
  "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640" 
  -j c:\tmp
   
   
  Enumerate Distribution Groups and Member in 
  Domain
   
  csvde -f c:\tmp\DistributionLists.csv -p subtree -l 
  cn,mail,member  -r 
  "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2" 
  -j c:\tmp
   
   

RE: [ActiveDir] Mail Run

[Brian Desmond]

Yeah I know there’s separate attributes…This client currently
has in the GAL: First, Middle, Last, Email Address. Anything else is added
value.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 1:45 PM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run





 

there's a separate field for
zip (postalcode IIRC), city, state etc. Everything else goes into that
mutli-valued field. Sometimes I'll also put mail stop in the office attribute,
but that seems out of place a lot of times.  Depends on the company and
how they prefer to see it written out, but it seems a natural fit for the
streetAddress field. 



On 7/25/06, Brian Desmond <[EMAIL PROTECTED]> wrote:








Yeah I was thinking of that.
I'll have to tweak the flow rul in MIIS.

 

Do you usually do the whole
address or just the street address?

 

e.g.

 

100 S Wacker

 

Or

 

100 S Wacker

Chicago, IL 60606





 

Thanks,

Brian Desmond

[EMAIL PROTECTED] 

 

c - 312.731.3132

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 11:38 AM






To: ActiveDir@mail.activedir.org

Subject: Re: [ActiveDir] Mail Run









 



I've been a fan of putting it in the streetAddress attribute in past
implementations.  That puts the information in the same nice neat box as
the rest of the address information.





 





Best method I've had is to open Outlook, look at the GAL properties for a
user, and decide where it should fit based on what's available.  Sure, you
could modify the display, but that's a PITA in my experience.  If you can
use what's there, it makes it easier when upgrades occur etc as you wouldn't
have to worry about that being overwritten and so forth. Not that it is, but
rather you wouldn't have to be concerned about it which is far more important.
Once you figure out which one you want, modify it in a test case, rebuild the
GAL and view again. Repeat until you have it the way you want it and then
deploy directory wide. 





 





Al

 





On 7/25/06, Brian Desmond <[EMAIL PROTECTED]
> wrote: 







Yeah I think so – when they
say your on mail run 33 you're in a group of facilities who are all ser ved by
thte same truck I think.





 

Thanks,

Brian Desmond

[EMAIL PROTECTED]


 

c - 312.731.3132

 











From: [EMAIL PROTECTED]
[mailto:
[EMAIL PROTECTED] ] On Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run









 

What's a mail run? Is that the same as a mail
stop? 



On 7/24/06, Brian Desmond <
[EMAIL PROTECTED] > wrote: 







Does anybody have recommendations for what attribute to store a user's mail
run in? I'm looking for something that shows up in the GAL but I'm drawing a
blank.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]


 

c - 312.731.3132

 









 











 











 

[ActiveDir] Enumerating Group type and Mebership...

[Mike Hogenauer]

All, 

 

I’m trying to enumerate all groups in my AD environment.
I need to get Group name group type and group members for each group… 

 

I’ve tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx


 

Then I tried (below) but It still doesn’t seem to pull
back everything I need- Any help would be great! In a perfect world - J -  I need a list of all security
groups and distribution groups and their members 

Thanks,

Mike 

 

Enumerate Security Groups and Member in Domain

 

csvde -f c:\tmp\SecurityGroups.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640"
-j c:\tmp

 

 

Enumerate Distribution Groups and Member in Domain

 

csvde -f c:\tmp\DistributionLists.csv -p subtree -l
cn,mail,member  -r "(|(&(objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2"
-j c:\tmp

 

 

Re: [ActiveDir] Mail Run

[Al Mulnick]

there's a separate field for zip (postalcode IIRC), city, state etc. Everything else goes into that mutli-valued field. Sometimes I'll also put mail stop in the office attribute, but that seems out of place a lot of times.  Depends on the company and how they prefer to see it written out, but it seems a natural fit for the streetAddress field.

On 7/25/06, Brian Desmond <[EMAIL PROTECTED]> wrote:




Yeah I was thinking of that. I'll have to tweak the flow rul in MIIS.
 
Do you usually do the whole address or just the street address?
 
e.g.
 
100 S Wacker
 
Or
 
100 S Wacker
Chicago, IL 60606

 
Thanks,
Brian Desmond
[EMAIL PROTECTED]

 
c - 312.731.3132
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Al MulnickSent: Tuesday, July 25, 2006 11:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run



 

I've been a fan of putting it in the streetAddress attribute in past implementations.  That puts the information in the same nice neat box as the rest of the address information.

 

Best method I've had is to open Outlook, look at the GAL properties for a user, and decide where it should fit based on what's available.  Sure, you could modify the display, but that's a PITA in my experience.  If you can use what's there, it makes it easier when upgrades occur etc as you wouldn't have to worry about that being overwritten and so forth. Not that it is, but rather you wouldn't have to be concerned about it which is far more important. Once you figure out which one you want, modify it in a test case, rebuild the GAL and view again. Repeat until you have it the way you want it and then deploy directory wide. 


 

Al 

On 7/25/06, Brian Desmond <[EMAIL PROTECTED]
> wrote: 



Yeah I think so – when they say your on mail run 33 you're in a group of facilities who are all ser ved by thte same truck I think.

 
Thanks,
Brian Desmond

[EMAIL PROTECTED] 
 
c - 312.731.3132
 




From: 
[EMAIL PROTECTED] [mailto:
[EMAIL PROTECTED] ] On Behalf Of Al MulnickSent: Tuesday, July 25, 2006 9:46 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Mail Run

 
What's a mail run? Is that the same as a mail stop? 

On 7/24/06, Brian Desmond <
[EMAIL PROTECTED] > wrote: 



Does anybody have recommendations for what attribute to store a user's mail run in? I'm looking for something that shows up in the GAL but I'm drawing a blank.
 
Thanks,
Brian Desmond

[EMAIL PROTECTED] 
 
c - 312.731.3132
 
 
 

RE: [ActiveDir] Mail Run

[Brian Desmond]

Yeah I was thinking of that. I’ll have to tweak the flow rul in
MIIS.

 

Do you usually do the whole address or just the street address?

 

e.g.

 

100 S Wacker

 

Or

 

100 S Wacker

Chicago, IL 60606

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 11:38 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run





 



I've been a fan of putting it in the streetAddress attribute
in past implementations.  That puts the information in the same nice neat
box as the rest of the address information.





 





Best method I've had is to open Outlook, look at the GAL
properties for a user, and decide where it should fit based on what's
available.  Sure, you could modify the display, but that's a PITA in my
experience.  If you can use what's there, it makes it easier when upgrades
occur etc as you wouldn't have to worry about that being overwritten and so
forth. Not that it is, but rather you wouldn't have to be concerned about it
which is far more important. Once you figure out which one you want, modify it
in a test case, rebuild the GAL and view again. Repeat until you have it the way
you want it and then deploy directory wide. 





 





Al

 





On 7/25/06, Brian Desmond <[EMAIL PROTECTED]> wrote:








Yeah I think so – when they
say your on mail run 33 you're in a group of facilities who are all ser ved by
thte same truck I think.





 

Thanks,

Brian Desmond

[EMAIL PROTECTED] 

 

c - 312.731.3132

 











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
] On Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run









 

What's a mail run? Is that the same as a mail
stop? 



On 7/24/06, Brian Desmond <[EMAIL PROTECTED]
> wrote: 







Does anybody have recommendations for what attribute to store a user's mail
run in? I'm looking for something that shows up in the GAL but I'm drawing a
blank.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]


 

c - 312.731.3132

 









 











 

RE: [ActiveDir] Securing DFS

[Lucas, Bryan]

Thanks to all for the helpful  feedback so
far.

 


 Great,
 I’ll look at changing the Everyone to down to READ and perhaps
 pursue the Authenticated Users as well.
 Yes,
 we’re currently only replicating the hierarchy of shares and not
 doing file-replication.  Our few tests of file replication a long time ago
 did not go very well so we’ve never pursued it since.  
 I
 glanced over the improvements in R2 and it certainly makes sense to
 upgrade.  Is it possible to upgrade/migrate or does it require building a
 new root.  Here is our we are setup.


 

We currently have 5 DC’s.

DC3 is the sole Win2000 SP4 and houses only
DFS root we have:  \\tcu.edu\dfs1  There
is no replication of the root structure at the moment.

DC4 through DC7 are Win2003 SP1

 

All of our users and processes reference
that root path (e.g. \\tcu.edu\dfs1\sharename)
and changing the name would be a nightmare.  Maximum downtime would probably be
48-72 if the new root couldn’t be brought up with the same name
simultaneously on another DC.

 

Upgrading DC3 is potentially an option,
however it is much older hardware.

 



Bryan Lucas

Server Administrator

Texas Christian University











From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kevin Brunson
Sent: Tuesday, July 25, 2006 9:06
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS



 

Good call, if not using replication then
2000 does a dfs root just fine

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 25, 2006 1:53
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS



 

changing the permissions to read only on
the DFS roots is no issue at all (doesn't matter what type of server the root is
hosted on - DC or member). I'd actually replace everyone with Auth. Users at
the same time.

 

as for Kevin's other comment on using
Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has
extensive improvements in the DFS service itself and especially in the
file-replication engine (DFS-R). But if Bryan
is not using file-replication in this Win2000 environment and "only"
needs to build a hierarchy of shares, he can already get quite far with Win2000
DFS roots.  Ofcourse there have been advancement such as multiple DFS
roots per server in 2003 and further cool stuff for the basic DFS service in
R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need
them.

 

Fully agree though, if file replication
is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003
(RTM). Really depends on your situation if you need it.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Monday, July 24, 2006 11:50
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS

I have never had any problems caused by
changing permissions on a DFS root.  One thing to consider before you move
too far down the road of configuration though is if you really want to invest
in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust
and reliable.  I have had and heard of countless problems with 2000
DFS.  I have not had any problems with 2003 R2 DFS at all.  If you
decide to move forward with 2000 DFS, be aware that they will probably stop
replicating occasionally.  You will then spend hours
troubleshooting.  Seriously it is worth building this on 2003 R2 servers
even if you don’t currently have any, if you are doing anything with
DFS.  I know that is not what you are asking, sorry.  

Anyone disagree?

Kevin
 Brunson

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Lucas,
 Bryan
Sent: Monday, July 24, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Securing DFS



 

We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I
go to \\domain.com, right click on the dfs
root’s properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant
because it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

Re: [ActiveDir] Mail Run

[Al Mulnick]

I've been a fan of putting it in the streetAddress attribute in past implementations.  That puts the information in the same nice neat box as the rest of the address information.
 
Best method I've had is to open Outlook, look at the GAL properties for a user, and decide where it should fit based on what's available.  Sure, you could modify the display, but that's a PITA in my experience.  If you can use what's there, it makes it easier when upgrades occur etc as you wouldn't have to worry about that being overwritten and so forth. Not that it is, but rather you wouldn't have to be concerned about it which is far more important. Once you figure out which one you want, modify it in a test case, rebuild the GAL and view again. Repeat until you have it the way you want it and then deploy directory wide. 

 
Al 
On 7/25/06, Brian Desmond <[EMAIL PROTECTED]> wrote:




Yeah I think so – when they say your on mail run 33 you're in a group of facilities who are all ser ved by thte same truck I think.

 
Thanks,
Brian Desmond
[EMAIL PROTECTED]

 
c - 312.731.3132
 




From: 
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
] On Behalf Of Al MulnickSent: Tuesday, July 25, 2006 9:46 AMTo: 
ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Mail Run

 
What's a mail run? Is that the same as a mail stop? 

On 7/24/06, Brian Desmond <[EMAIL PROTECTED]
> wrote: 



Does anybody have recommendations for what attribute to store a user's mail run in? I'm looking for something that shows up in the GAL but I'm drawing a blank.
 
Thanks,
Brian Desmond

[EMAIL PROTECTED] 
 
c - 312.731.3132
 
 

[ActiveDir] Test Environments

[WATSON, BEN]

I was hoping to get some input from some of you to better
understand how you handle the design of test environments for application
testing.  For example, I built a so-called “Offnet” which is a
duplicate of our production domain.  We have a couple domain controllers
restored from tape backup, we have Exchange running, and various other
production services using the same domain name and hostnames providing for a
very production-like test environment.  As time progressed, other production
servers duplicated themselves into this test environment and we now have quite
a number of people doing the majority of their testing in this
environment.  Unfortunately, as more and more people have begun to use
this environment for testing, we have found that people are beginning to step
on each others toes.  For instance, I used this test environment to walk
through the domain upgrade to 2003 and when there was some downtime other
people were unable to do their own testing.

 

So I was curious, how do you handle providing a working test
environment for people that need it?  At this point, we are trying to
determine a better way for people to do their testing away from production.

 

Thanks,

~Ben

RE: [ActiveDir] Mail Run

[Brian Desmond]

Yeah I think so – when they say your on mail run 33 you’re in a
group of facilities who are all ser ved by thte same truck I think.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED]

 

c - 312.731.3132

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of Al Mulnick
Sent: Tuesday, July 25, 2006 9:46 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Mail Run





 

What's a mail run? Is that the
same as a mail stop? 



On 7/24/06, Brian Desmond <[EMAIL PROTECTED]> wrote:








Does anybody have recommendations for what attribute to store a user's mail
run in? I'm looking for something that shows up in the GAL but I'm drawing a
blank.

 

Thanks,

Brian Desmond

[EMAIL PROTECTED] 

 

c - 312.731.3132

 









 

RE: [ActiveDir] Securing DFS

[Kinzer, Lowell]

Folks 
who want multiple Dfs roots on Windows Server 2003 Standard Edition without upgrading to Enterprise or R2 can have them by 
installing the hotfix available in the following Microsoft Knowledge Base 
article:"You cannot create more than one domain-based DFS 
namespace on a computer that is running Windows Server 2003, Standard 
Edition"

 
I've been running it on four servers for over six 
months and have had no problems with 
it.
 
Cheers,Lowell---Lowell 
KinzerACS/Microcomputer 
SupportUniversity of California, San 
Diego[EMAIL PROTECTED]

  
  
  From: [EMAIL PROTECTED] 
  [mailto:[EMAIL PROTECTED] On Behalf Of Kevin 
  BrunsonSent: Tuesday, July 25, 2006 7:06 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing 
  DFS
  
  
  Good call, if not 
  using replication then 2000 does a dfs root just 
  fine
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Grillenmeier, 
  GuidoSent: Tuesday, July 25, 
  2006 1:53 AMTo: 
  ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing 
  DFS
   
  changing the 
  permissions to read only on the DFS roots is no issue at all (doesn't matter 
  what type of server the root is hosted on - DC or member). I'd actually 
  replace everyone with Auth. Users at the same 
  time.
   
  as for Kevin's 
  other comment on using Win2000 for DFS vs. Win2003 or R2 - totally agree that 
  especially R2 has extensive improvements in the DFS service itself and 
  especially in the file-replication engine (DFS-R). But if Bryan is not using 
  file-replication in this Win2000 environment and "only" needs to build a 
  hierarchy of shares, he can already get quite far with Win2000 DFS 
  roots.  Ofcourse there have been advancement such as multiple DFS roots 
  per server in 2003 and further cool stuff for the basic DFS service in R2, 
  such as sub-folder hierarchy for the DFS links, but Bryan may not need 
  them.
   
  Fully agree though, 
  if file replication is involved, DFS-R in R2 is much preferred over FRS in 
  Win2000 and Win2003 (RTM). Really depends on your situation if you need 
  it.
   
  /Guido
   
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Kevin BrunsonSent: Monday, July 24, 2006 11:50 
  PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Securing 
  DFS
  I have never had any 
  problems caused by changing permissions on a DFS root.  One thing to 
  consider before you move too far down the road of configuration though is if 
  you really want to invest in a 2000 DFS structure when the 2003 R2 DFS 
  structure is so much more robust and reliable.  I have had and heard of 
  countless problems with 2000 DFS.  I have not had any problems with 2003 
  R2 DFS at all.  If you decide to move forward with 2000 DFS, be aware 
  that they will probably stop replicating occasionally.  You will then 
  spend hours troubleshooting.  Seriously it is worth building this on 2003 
  R2 servers even if you don’t currently have any, if you are doing anything 
  with DFS.  I know that is not what you are asking, sorry.  
  
  Anyone 
  disagree?
  Kevin 
  Brunson
   
  
  
  
  
  From: 
  [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] 
  On Behalf Of Lucas, 
  BryanSent: Monday, July 24, 
  2006 4:07 PMTo: 
  ActiveDir@mail.activedir.orgSubject: [ActiveDir] Securing 
  DFS
   
  We built a DFS Root on a windows 
  2000 domain controller and the root of the share has “Everyone” Full 
  Control.  E.g. if I go to \\domain.com, right click on the dfs root’s 
  properties, the security tab.
   
  Can I simply take FC away?  
  I’m a bit hesitant because it lives on the DC and came this way by 
  default.
   
  Bryan 
  Lucas
  Server 
  Administrator
  Texas 
  Christian University
   

Re: [ActiveDir] Mail Run

[Al Mulnick]

What's a mail run? Is that the same as a mail stop? 
On 7/24/06, Brian Desmond <[EMAIL PROTECTED]> wrote:




Does anybody have recommendations for what attribute to store a user's mail run in? I'm looking for something that shows up in the GAL but I'm drawing a blank.
 
Thanks,
Brian Desmond
[EMAIL PROTECTED]

 
c - 312.731.3132
 

RE: [ActiveDir] Securing DFS

[Kevin Brunson]

Good call, if not using replication then
2000 does a dfs root just fine

 









From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido
Sent: Tuesday, July 25, 2006 1:53
AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS



 

changing the permissions to read only on
the DFS roots is no issue at all (doesn't matter what type of server the root
is hosted on - DC or member). I'd actually replace everyone with Auth. Users at
the same time.

 

as for Kevin's other comment on using
Win2000 for DFS vs. Win2003 or R2 - totally agree that especially R2 has
extensive improvements in the DFS service itself and especially in the
file-replication engine (DFS-R). But if Bryan
is not using file-replication in this Win2000 environment and "only"
needs to build a hierarchy of shares, he can already get quite far with Win2000
DFS roots.  Ofcourse there have been advancement such as multiple DFS
roots per server in 2003 and further cool stuff for the basic DFS service in
R2, such as sub-folder hierarchy for the DFS links, but Bryan may not need
them.

 

Fully agree though, if file replication
is involved, DFS-R in R2 is much preferred over FRS in Win2000 and Win2003
(RTM). Really depends on your situation if you need it.

 

/Guido

 







From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kevin
 Brunson
Sent: Monday, July 24, 2006 11:50
PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Securing
DFS

I have never had any problems caused by
changing permissions on a DFS root.  One thing to consider before you move
too far down the road of configuration though is if you really want to invest
in a 2000 DFS structure when the 2003 R2 DFS structure is so much more robust
and reliable.  I have had and heard of countless problems with 2000
DFS.  I have not had any problems with 2003 R2 DFS at all.  If you
decide to move forward with 2000 DFS, be aware that they will probably stop
replicating occasionally.  You will then spend hours
troubleshooting.  Seriously it is worth building this on 2003 R2 servers
even if you don’t currently have any, if you are doing anything with
DFS.  I know that is not what you are asking, sorry.  

Anyone disagree?

Kevin
 Brunson

 









From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Lucas, Bryan
Sent: Monday, July 24, 2006 4:07
PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Securing DFS



 

We built a DFS Root on a windows 2000 domain controller and
the root of the share has “Everyone” Full Control.  E.g. if I
go to \\domain.com, right click on the dfs
root’s properties, the security tab.

 

Can I simply take FC away?  I’m a bit hesitant
because it lives on the DC and came this way by default.

 

Bryan Lucas

Server Administrator

Texas Christian University

 

RE: [ActiveDir] ldp in ADAM-SP1

[Grillenmeier, Guido]

well, for Win2000 and Win2003 AD that tool is DSACLS for 95% of what you
should need to do. You've already tripped over some of it's limitations
especially around handling the confidential bit - however, I have not
seen many customers that actually leverage the confidential bit yet for
anything else but OS features (for example for PKI credential roaming).
It would be nice to leverage it for many more lockdown scenarios, but
you can't use it for the base schema attributes (category 1), which
includes almost all of the interesting attributes you may want to
restrict access to.  Ofcourse you can use it for your own schema
extensions.

For file-system ACLing that tool is CALS or XCACLS - probably for 99% of
what you need to do.  Note for the FS you may also want to check out the
betas of either Windows Longhorn or the current Windows 2003 SP2 => they
include a new commandline ACLing tool called Icacls.exe, which can be
used to reset the account control lists (ACL) on files from Recovery
Console, and to back up ACLs. It can also handle replacement of ACLs
(much like subinacl) and works well with either names or SIDs. At last,
unlike Cacls.exe, Icacles.exe preserves canonical ordering of ACEs and
thus correctly propagates changes to and creation of inherited ACLs. 

DSACLs has only been updated slightly in LH, but I hope to see some more
changes prior to beta 3.

At last, depending on your requirements, you may also need to look into
changing the default security descriptor of some of the objects (for
example, check out all the default write permissions, which every user
is granted on it's own object via the SELF security principal; many
companies are still unaware of this). You can check these rights most
easily via the schema mgmt mmc (check properties of a class object, such
as user and click on the Default Security tab). 

So it's fair to say that although handling ACLs remains to be a complex
topic, you can get most of the things done with existing commandline
tools from MSFT. Sometimes it will simply be more appropriate to use the
UI for a few settings. And there is always the option to script setting
ACLs if you really have special requirements.


As for your delegation model => I would not have the goal to teach your
delegated admins how to do ACLing inside AD. I'm fine with a delegated
admin doing the security on a file-server that he completely manages on
his own. But AD security should be kept in the hand of domain and
enterprise admins (partly because it is rather complex and you only want
few folks to fiddle around with it, partly because it is plain risky to
do it otherwise).  The critical piece for most delegation models to
succeed is to build a centrally controlled OU structure (ideally
standardized for your different delegated "admin units" as I like to
call them and not to grant your data admin (= the delegated admins) any
rights to create OUs themselves (otherwise - with the current ACLing
model - you can't prevent them to configure the security of the OU).
Basically the same is true for any objects they create, but it's the OUs
that allow you to manage the security for multiple child objects at once
(and thus these need to be controlled centrally). Many more things to
share in this respect, but no delegation model is the same as any other
so you're best to understand and plan it from the ground up. There may
be similarities between many models, but for the various infrastructures
I've planned, every customer has had their special requirements.

/Guido


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matheesha
Weerasinghe
Sent: Tuesday, July 25, 2006 9:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] ldp in ADAM-SP1

Wow,

Thanks you so much for the detailed info guys. Basically my goal is
quite simple. At least it is in my head. What I want to do, is to go
through the entire case study given in the AD delegation whitepaper,
and do all of that permissions configuration entirely at command line
(where possible). I am willing to use the delegation wizard to some
extent, but as I am configuring quite a lot of permissions for an AD
design I am involved in, I would rather avoid having to use GUI tools
for this.

You see, I am going to end up as been a very privileged service
administrator and data administrator once my proposed AD design model
is in place. I expect I will be making some endeavour to train
sufficiently capable people in doing this. But I dont plan to spoon
feed. I want the guys to know to a decent level ACL'ing and if not, do
their research. At least on an adhoc basis. Then once they understand
whats involved, they can go ahead and add/modify/delete ACE's , revoke
perms, define new roles etc...

Reading this delegation doc has made me believe I can configure an
extremely secure delegation model where each role can be given just
enough to do that role. The tricky bit is the matching a trusted and
appropriately skilled person 

Re: [ActiveDir] ldp in ADAM-SP1

[Al Mulnick]

I wholeheartedly applaud the effort being put into this.  That said, I urge you to reconsider your administrative model and favor as much simplicity as is possible.  Why?  Because the best laid plans of mice and architects and all that.  

 
"The tricky bit is the matching a trusted andappropriately skilled person to the relevant role."  That makes me laugh and cringe at the same time.  Yes, it is very difficult to find that "perfect match" but at the same time I think a design should take that into account where possible. That's a design philosophy and I won't debate that for this thread.  But I would caution you that any design that has the people intricately relied upon is going to have a failure point at some point when you least can tolerate it. 

 
While you can use the command line tools as much as possible, as joe and Guido both pointed out, consider rolling your own scripts if you absolutely cannot do what you *need* to do at the GUI. But remember you can really really really^^ hurt yourself with security permissions.  Believe me, it can be ugly and it can be the undoing. 

 
Two thoughts consider as you walk through the design: 
1) You should never try to solve wetware issues with software or hardware. 
2) Complexity is the anti-security.
 
Best of luck. 
 
 
On 7/25/06, Matheesha Weerasinghe <[EMAIL PROTECTED]> wrote:
Wow,Thanks you so much for the detailed info guys. Basically my goal isquite simple. At least it is in my head. What I want to do, is to go
through the entire case study given in the AD delegation whitepaper,and do all of that permissions configuration entirely at command line(where possible). I am willing to use the delegation wizard to someextent, but as I am configuring quite a lot of permissions for an AD
design I am involved in, I would rather avoid having to use GUI toolsfor this.You see, I am going to end up as been a very privileged serviceadministrator and data administrator once my proposed AD design model
is in place. I expect I will be making some endeavour to trainsufficiently capable people in doing this. But I dont plan to spoonfeed. I want the guys to know to a decent level ACL'ing and if not, dotheir research. At least on an adhoc basis. Then once they understand
whats involved, they can go ahead and add/modify/delete ACE's , revokeperms, define new roles etc...Reading this delegation doc has made me believe I can configure anextremely secure delegation model where each role can be given just
enough to do that role. The tricky bit is the matching a trusted andappropriately skilled person to the relevant role.So you see, as there is a lot involved and this is a biginfrastructure to attempt to administer perms for 20,000 users plus
many OUs used to organise users based on the business unit (at least adozen in each geographical hub) they work in and the site (we havemore than a 40 geographical hubs and 1000 satellite sites) they arelocated at. Different levels of data admin roles. I would like to get
this right to a large extent from the moment go. Admittedly it may notbe big as in Fortune 5 ADs. But its the biggest I've had the privilegeto design and support.I figured if I test this using the case study as a lab, I will get a
good feel of whats involved in my lower level design. I am getting alittle miffed when I have to swap between several tools to do what Ineed to do. There is just so many buts and ifs. "You can do this but
you cant do this.  To do this use this. For this use that. And thentry this. If all else fails script "I admit I was ranting a bit when asking why is this named and likesuch and the discrepencies in the docs and syntax help of command line
tools. My sincere apologies for been anal.Is it too much to ask, to have at the very least a reliable commandline or GUI tool (ldp) to configure perms just the way I want andneed? Actually I don care even if I have to use a series of command
line apps. I dont care how complex it is/willbe right now. I just wantsomething that works. And I want the tool from MSFT. For free ;0)Please!CheersM@P.S. thanks once again for reading, for escalating, for laughing, for
educating , the kind words, hugsControl-H,Control-H,Control-H,Control-H,Control-H, etc...On 7/25/06, Grillenmeier, Guido <[EMAIL PROTECTED]
> wrote:> I guess Matheesha's original question has been answered as good as it> can for now with the information given. I just quickly want to comment> on the 3rd party tool aspect joe is mentioning below - naturally, before
> spending considerable money on the tools, you'd need to test if they do> what you want them to do in the first place.>> What I've found from many years of leveraging and checking different
> ACLing tools is that they also just go so far...  I've had various> different customer requests, which could not be achieved with the tools,> but could be achieved with the native ACLs (mostly talking AD here).
> After getting over the hurdles of the basics, scripting quickly becomes> your friend. I am n

RE: [ActiveDir] DNS Issue

[Wyatt, David]

PSS is already on the case.  I will report back once the fix
(hopefully!) has been identified.


Cheers so far
David



-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 24 Jul 2006 19:13
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


This is similar to the problem that we had seen before with caching and
TTLs and I believe may be addressed by this fix:
http://support.microsoft.com/kb/903720/en-us.  You could confirm it by
disabling the cache but your performance will suffer.  It has been a
while since I actually looked at this type of failure but I believe we
worked around the issue temporarily by using stub zones.  Since it looks
like a possible issue with caching and TTL I would consider opening a
case with Product Support Services (PSS) to get to the bottom of it.  


Thanks,

-Steve

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David
Sent: Monday, July 24, 2006 10:44 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


Hi Steve

Interesting findings.  Firstly, yes I am clearing the DNS Cache and not
doing ipconfig /flushdns on the DC.

I have shown the d2 output below but also see the following:

1.  Clear the DNS cache on DC
2.  Submit query for server1.nyc.test.com - success
3.  Explicitly delete the record for above host from the cache leaving
the nyc parent folder in cache. 4.  Submit query for
server1.nyc.test.com - fail 5.  Delete nyc parent folder 6.  Submit
query for server1.nyc.test.com - success

So what I think is happening is when the TTL for the cached record
expires it gets deleted (as per the manual deletion above) then
subsequent queries fail.

Note that the DNS server for test.com are QIP based - may have a
bearing?


> server1.nyc.test.com
Server:  dns1.int.mycorp.com
Address:  x.x.x.x


SendRequest(), len 62
HEADER:
opcode = QUERY, id = 15, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN



Got answer (135 bytes):
HEADER:
opcode = QUERY, id = 15, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.int.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  int.mycorp.com
type = SOA, class = IN, dlen = 47
ttl = 3600 (1 hour)
primary name server = dns1.int.mycorp.com
responsible mail addr = hostmaster.int.mycorp.com
serial  = 54966
refresh = 900 (15 mins)
retry   = 600 (10 mins)
expire  = 86400 (1 day)
default TTL = 3600 (1 hour)



SendRequest(), len 55
HEADER:
opcode = QUERY, id = 16, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN



Got answer (118 bytes):
HEADER:
opcode = QUERY, id = 16, rcode = NXDOMAIN
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 1,  additional
= 0

QUESTIONS:
server1.nyc.test.com.mycorp.com, type = A, class = IN
AUTHORITY RECORDS:
->  mycorp.com
type = SOA, class = IN, dlen = 44
ttl = 86400 (1 day)
primary name server = name.int.com
responsible mail addr = postmaster.int.com
serial  = 2006072002
refresh = 1800 (30 mins)
retry   = 900 (15 mins)
expire  = 604800 (7 days)
default TTL = 86400 (1 day)



SendRequest(), len 47
HEADER:
opcode = QUERY, id = 17, rcode = NOERROR
header flags:  query, want recursion
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN



Got answer (47 bytes):
HEADER:
opcode = QUERY, id = 17, rcode = SERVFAIL
header flags:  response, auth. answer, want recursion, recursion
avail.
questions = 1,  answers = 0,  authority records = 0,  additional
= 0

QUESTIONS:
server1.nyc.test.com, type = A, class = IN


*** dns1.int.mycorp.com can't find server1.nyc.test.com: Server failed
>


-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan
Sent: 24 Jul 2006 3:58
To: ActiveDir@mail.activedir.org; ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] DNS Issue


David,
  A few more questions.  When you state you cleared the cache I want to
insure this me

Re: [ActiveDir] ldp in ADAM-SP1

[Matheesha Weerasinghe]

Wow,

Thanks you so much for the detailed info guys. Basically my goal is
quite simple. At least it is in my head. What I want to do, is to go
through the entire case study given in the AD delegation whitepaper,
and do all of that permissions configuration entirely at command line
(where possible). I am willing to use the delegation wizard to some
extent, but as I am configuring quite a lot of permissions for an AD
design I am involved in, I would rather avoid having to use GUI tools
for this.

You see, I am going to end up as been a very privileged service
administrator and data administrator once my proposed AD design model
is in place. I expect I will be making some endeavour to train
sufficiently capable people in doing this. But I dont plan to spoon
feed. I want the guys to know to a decent level ACL'ing and if not, do
their research. At least on an adhoc basis. Then once they understand
whats involved, they can go ahead and add/modify/delete ACE's , revoke
perms, define new roles etc...

Reading this delegation doc has made me believe I can configure an
extremely secure delegation model where each role can be given just
enough to do that role. The tricky bit is the matching a trusted and
appropriately skilled person to the relevant role.

So you see, as there is a lot involved and this is a big
infrastructure to attempt to administer perms for 20,000 users plus
many OUs used to organise users based on the business unit (at least a
dozen in each geographical hub) they work in and the site (we have
more than a 40 geographical hubs and 1000 satellite sites) they are
located at. Different levels of data admin roles. I would like to get
this right to a large extent from the moment go. Admittedly it may not
be big as in Fortune 5 ADs. But its the biggest I've had the privilege
to design and support.

I figured if I test this using the case study as a lab, I will get a
good feel of whats involved in my lower level design. I am getting a
little miffed when I have to swap between several tools to do what I
need to do. There is just so many buts and ifs. "You can do this but
you cant do this.  To do this use this. For this use that. And then
try this. If all else fails script "

I admit I was ranting a bit when asking why is this named and like
such and the discrepencies in the docs and syntax help of command line
tools. My sincere apologies for been anal.

Is it too much to ask, to have at the very least a reliable command
line or GUI tool (ldp) to configure perms just the way I want and
need? Actually I don care even if I have to use a series of command
line apps. I dont care how complex it is/willbe right now. I just want
something that works. And I want the tool from MSFT. For free ;0)

Please!

Cheers

M@


P.S. thanks once again for reading, for escalating, for laughing, for
educating , the kind words, hugs
Control-H,Control-H,Control-H,Control-H,Control-H, etc...



On 7/25/06, Grillenmeier, Guido <[EMAIL PROTECTED]> wrote:

I guess Matheesha's original question has been answered as good as it
can for now with the information given. I just quickly want to comment
on the 3rd party tool aspect joe is mentioning below - naturally, before
spending considerable money on the tools, you'd need to test if they do
what you want them to do in the first place.

What I've found from many years of leveraging and checking different
ACLing tools is that they also just go so far...  I've had various
different customer requests, which could not be achieved with the tools,
but could be achieved with the native ACLs (mostly talking AD here).
After getting over the hurdles of the basics, scripting quickly becomes
your friend. I am not saying that 3rd party tools aren't quite useful
for general ACLing stuff - it's when your own security model is complex,
the tools will often not be able to help you reach your goal.

Often this is a result of the complex ACLing rules build by MSFT
themselves. Very hard for a developer to keep up with all changes (think
of all the changes in Win2003 compared to 2000 and then with Win2003
SP1) and to understand the plethora of rules, especially when it comes
to combining specific ACLing settings set at totally different places in
the directory. A great example for this are various options to
controlling delegation of password settings (I've written this up
internally and for my upcoming Windows security book, as joe had been
pointed at in his other reply). Win2003 provides three new not so well
known extended rights, which allow domain admins to control which
delegated admin can change critical password attributes on user
accounts:

* Enable-Per-User-Reversibly-Encrypted-Password
* Unexpire-Password
* Update-Password-Not-Required-Bit

The challenge: these extended rights are set at the domain level, while
other permissions to control which delegated admin can do what in an OU
(e.g. create and manage users) are typically set at the OU level. So if
you give a delegated admin full control ov