Re: [ActiveDir] ldp in ADAM-SP1
Thanks Guido. That helps a lot. I was going to create the role structure but leave them unpopulated and do most of the work myself. I.e I am all roles!! I was then going to populate them as and when I found skilled and trusted chaps. I'll keep it very simple now. Cheers M@ P.S. Thanks again to everyone that read and responded. On 7/26/06, Grillenmeier, Guido [EMAIL PROTECTED] wrote: well, do as you should always do to ensure that your systems are maintainable: keep it simple! Don't introduce extra complexity if you don't require it. For AD ACLing this means, don't introduce roles and permissions for users, if you do not need that role - there is certainly no need to implement all the roles that are described in the delegation whitepaper to maintain a stable AD infrastructure. most ACLing issues that I have come across was in companies that granted their delegated admins the rights to create OUs underneath their location specific OU - soon afterwards they had an AD structure with OUs and permissions that looked like a badly managed file-server... so the issue is not so much setting ACLs in AD (which as discussed can be a complex task to do right, depending on your needs), but more controlling who is allowed to set ACLs. This should be done centrally by domain and/or enterprise admins. As a rule of thumb you should not grant any non-domain or enterprise admin the rights to create OUs and also limit the rights to create any other objects (especially groups) to very few delegated admins. Less critical is delegating the ability to manage existing objects (e.g. to reset PW of user, mail-enable users and groups, change membership of groups, etc). I also consider the rights to create computer objects as low risk (which is usually required by local desktop admins in branch offices). /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Matheesha Weerasinghe Sent: Tuesday, July 25, 2006 9:18 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] ldp in ADAM-SP1 Thanks to Al and Guido for your further input. Even though it may seem pretty obvious, I would like to know of any horror stories due to AD ACL'ing if possible. The reason is Al's comments have made me take a much more cautious approach to ACL'ing. I get the feeling that even though the granular feature is there, if there arent enoug people with the correct skill level available to maintain it, then it shouldnt be pursued. I hope I can get that skill and that is one fo the goals here. But I may not be here all the time. So any stories from anyone ? M@ On 7/25/06, Al Mulnick [EMAIL PROTECTED] wrote: I wholeheartedly applaud the effort being put into this. That said, I urge you to reconsider your administrative model and favor as much simplicity as is possible. Why? Because the best laid plans of mice and architects and all that. The tricky bit is the matching a trusted and appropriately skilled person to the relevant role. That makes me laugh and cringe at the same time. Yes, it is very difficult to find that perfect match but at the same time I think a design should take that into account where possible. That's a design philosophy and I won't debate that for this thread. But I would caution you that any design that has the people intricately relied upon is going to have a failure point at some point when you least can tolerate it. While you can use the command line tools as much as possible, as joe and Guido both pointed out, consider rolling your own scripts if you absolutely cannot do what you *need* to do at the GUI. But remember you can really really really^^ hurt yourself with security permissions. Believe me, it can be ugly and it can be the undoing. Two thoughts consider as you walk through the design: 1) You should never try to solve wetware issues with software or hardware. 2) Complexity is the anti-security. Best of luck. On 7/25/06, Matheesha Weerasinghe [EMAIL PROTECTED] wrote: Wow, Thanks you so much for the detailed info guys. Basically my goal is quite simple. At least it is in my head. What I want to do, is to go through the entire case study given in the AD delegation whitepaper, and do all of that permissions configuration entirely at command line (where possible). I am willing to use the delegation wizard to some extent, but as I am configuring quite a lot of permissions for an AD design I am involved in, I would rather avoid having to use GUI tools for this. You see, I am going to end up as been a very privileged service administrator and data administrator once my proposed AD design model is in place. I expect I will be making some endeavour to train sufficiently capable people in doing this. But I dont plan to spoon feed. I want the guys to know to a decent level ACL'ing and if not, do their research. At least on an adhoc basis. Then once they understand whats involved, they can go ahead and
Re: [ActiveDir] Enumerating Group type and Mebership...
Personally I like to find a find a good tool if it makes my life easier. In the area of user/group reporting one such tool is Hyena from Systemtools.com. I'm not sure how (in) efficient it's ldap queries are when it's asked for nested group membership but I've never had to run it against an AD environment with more then a couple thousand users and groups. Even in those largest cases it's returned results in minutes or less so I wouldn't think a well setup environment would take more than say an hour for even a large AD structure (there I go assuming). Custom scripting is great when the problem is so trivial or so complex that standard off the shelf tools don't make sense, but for the majority of cases they just seem like a good investment to me =) Andrew Fidel Matt Hargraves [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 07/25/2006 05:54 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject Re: [ActiveDir] Enumerating Group type and Mebership... Getting a list of groups is easy... getting it all enumerated will be a bit more complex, though not terribly so. The ADUC allows you to create queries and list all security groups. You can then export this list to a file. Once you have the file, you need to import that list into Excel (pretty easy), then run a _vbscript_ against with LDAP or ADSI scripting in it (or something like that) to enumerate group members. If they want nested members also, then you've got a lot more complex issue, but I would just state that it's not practical and let him work with the current list. Hopefully the resulting gargantuan file will be enough to make anyone choke and stop making rediculous requests that they don't understand the futility of. Enumerating 10k groups simply so that you can toss the list out later that week because it's just going to get more and more out of date is worse than silly, it's a waste of company effort (and money). Make it too easy for him to generate that report and soon he'll be wanting to see what items they have access to in the environment, so you'll end up enumerating out all files and shares and rights assignments on computers. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: We're medium size and yes someone does want a current outdated list J - Just trying to make it happen. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Matt Hargraves Sent: Tuesday, July 25, 2006 2:02 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Enumerating Group type and Mebership... You either have a small environment or someone wants a document that will be completely outdated 12 minutes after it's compiled. Though just to be honest, I'd love to be able to click on a '+' on groups and show their members and continue to follow the '+' if there is nesting. That would be an awesome feature in the ADUC. Maybe I should submit that feature request to Quest and Microsoft. On 7/25/06, Mike Hogenauer [EMAIL PROTECTED] wrote: I need all Security Groups and Distribution groups and their members Thanks Laura! From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 12:00 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Enumerating Group type and Mebership... What is everything [you] need, specifically? Thanks, Laura From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Mike Hogenauer Sent: Tuesday, July 25, 2006 2:49 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Enumerating Group type and Mebership... All, I'm trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group I've tried some sample _vbscript_s from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419.mspx Then I tried (below) but It still doesn't seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(groupType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(groupType=2 -j c:\tmp
Re: [ActiveDir] Managing Third-Party Users
On 22/07/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: I'm curious what, if anything, anyone else is doing to use some sort of federated system so that user management is left at the hands of the third-party companies. I'm curious also if anyone is aware of any consulting groups that have done this sort of thing w/ an agnostic approach that can fit most environments. I'd love to get an idea of where the industry is heading with this sort of thing. I'm sure the topic probably came up at DEC which I didn't have the luxury of attending. Not sure if I understand what you're getting at here, but in terms of pure user account management, we tend to create a separate OU for the external company, and delegate control of it to one of their more clueful bods. If you're managing citrix servers, you can do the above and give them a custom task pad without having to give them access to log on interactively or manage services or suchlike. -- AdamT A casual stroll through the lunatic asylum shows that faith does not prove anything. - Nietzsche List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Domain Local Groups vs Global Groups
Title: Message I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required. �
[ActiveDir] OT: Query Based Distribution Groups
What are the rules for nesting QDGs? Most of the MS documentation we see says that you can nest QDGs in other Universal Distribution Groups, but when we try to add a QDG to a Universal DG, we are unable to find the QDG. Were running Exchange 2003 Native Mode and 2003 FFL for AD. Our Exchange admins have the Exchange 2003 ADUC console installed. What are we missing? Thanks, Justin ITS ENTERPRISE SERVICES EMAIL NOTICE The information contained in this email and any attachments is confidential and may be subject to copyright or other intellectual property protection. If you are not the intended recipient, you are not authorized to use or disclose this information, and we request that you notify us by reply mail or telephone and delete the original message from your mail system.
RE: [ActiveDir] DNS Issue
Steve - latest update from Microsoft regarding the DNS issue, install hotfix 919218 which is the latest build of DNS.EXE with the KB article dated July 19, 2006! I'll keep you updated after the usual routine of testing the hotfix then deploying in production then keeping fingers crossed while looking at the MOM console... http://support.microsoft.com/kb/919218/en-us -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: 24 Jul 2006 19:13 To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue This is similar to the problem that we had seen before with caching and TTLs and I believe may be addressed by this fix: http://support.microsoft.com/kb/903720/en-us. You could confirm it by disabling the cache but your performance will suffer. It has been a while since I actually looked at this type of failure but I believe we worked around the issue temporarily by using stub zones. Since it looks like a possible issue with caching and TTL I would consider opening a case with Product Support Services (PSS) to get to the bottom of it. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Monday, July 24, 2006 10:44 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] DNS Issue Hi Steve Interesting findings. Firstly, yes I am clearing the DNS Cache and not doing ipconfig /flushdns on the DC. I have shown the d2 output below but also see the following: 1. Clear the DNS cache on DC 2. Submit query for server1.nyc.test.com - success 3. Explicitly delete the record for above host from the cache leaving the nyc parent folder in cache. 4. Submit query for server1.nyc.test.com - fail 5. Delete nyc parent folder 6. Submit query for server1.nyc.test.com - success So what I think is happening is when the TTL for the cached record expires it gets deleted (as per the manual deletion above) then subsequent queries fail. Note that the DNS server for test.com are QIP based - may have a bearing? server1.nyc.test.com Server: dns1.int.mycorp.com Address: x.x.x.x SendRequest(), len 62 HEADER: opcode = QUERY, id = 15, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN Got answer (135 bytes): HEADER: opcode = QUERY, id = 15, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.int.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - int.mycorp.com type = SOA, class = IN, dlen = 47 ttl = 3600 (1 hour) primary name server = dns1.int.mycorp.com responsible mail addr = hostmaster.int.mycorp.com serial = 54966 refresh = 900 (15 mins) retry = 600 (10 mins) expire = 86400 (1 day) default TTL = 3600 (1 hour) SendRequest(), len 55 HEADER: opcode = QUERY, id = 16, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN Got answer (118 bytes): HEADER: opcode = QUERY, id = 16, rcode = NXDOMAIN header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 1, additional = 0 QUESTIONS: server1.nyc.test.com.mycorp.com, type = A, class = IN AUTHORITY RECORDS: - mycorp.com type = SOA, class = IN, dlen = 44 ttl = 86400 (1 day) primary name server = name.int.com responsible mail addr = postmaster.int.com serial = 2006072002 refresh = 1800 (30 mins) retry = 900 (15 mins) expire = 604800 (7 days) default TTL = 86400 (1 day) SendRequest(), len 47 HEADER: opcode = QUERY, id = 17, rcode = NOERROR header flags: query, want recursion questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN Got answer (47 bytes): HEADER: opcode = QUERY, id = 17, rcode = SERVFAIL header flags: response, auth. answer, want recursion, recursion avail. questions = 1, answers = 0, authority records = 0, additional = 0 QUESTIONS: server1.nyc.test.com, type = A, class = IN *** dns1.int.mycorp.com can't find server1.nyc.test.com: Server failed -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
RE: [ActiveDir] Managing Third-Party Users
Whoops, folks, I need to amend one statement below- ADFS does construct SAML 1.1 tokens (assertions), but not 2.0. Thanks! Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Tuesday, July 25, 2006 3:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Managing Third-Party Users ADFS, at this time, is able to consume SAML 1.1 tokens. It does not, however, fully support either the SAML 1.1 or 2.0 specifications. ADFS does not currently construct SAML 1.1 or 2.0 tokens, does not support the rest of the SAML specifications and does not support consumption of SAML 2.0 tokens. Having said that, I have been having many discussions with the ADFS product group on this one for some time and would welcome any input from this list's participants regarding their thoughts on the subject of whether or not SAML support is important in ADFS. If you would prefer to e-mail me your thoughts off-list, please feel free to do so. This is going to wreck my stealth-mode perusal of this list, but you can send your thoughts to [EMAIL PROTECTED] and I will collect the feedback and pass it on to Don Schmidt, with whom I've had a running dialog on this subject for some months now. With all that said, any opinions I express are mine and mine alone, do not reflect the opinions of my employer, etc., yada, yada, yada. :-) Thanks, Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, July 25, 2006 3:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Managing Third-Party Users As far as I know, it's partners accessing our resources. Regarding ADFS, I thought it supported SAML 1.1? :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Monday, July 24, 2006 9:51 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Managing Third-Party Users There are a bunch of products in this space. The two primary protocols to be concerned about are SAML and WS-Federation. ADFS is WS-Federation only. Some other products are SAML only and some support both. A lot of what you want to do depends on your scenarios. Do you just want to let your users access partner applications or do you plan to let your partners access your applications? Maybe you need to do both? Joe K. - Original Message - From: [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Monday, July 24, 2006 3:50 PM Subject: RE: [ActiveDir] Managing Third-Party Users Thanks for your take on it, Joe. I'm finding the same thing when it comes to the ideology. It's not baked in very well yet... so trying to make a judgment on strategy is a bit difficult. :) I think I'll start looking down what Microsoft offers... problem is I'm not even sure what the competitors are ... :m:dsm:cci:mvp | marcusoh.blogspot.com -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Saturday, July 22, 2006 3:43 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Managing Third-Party Users Federation is the way of the future in these scenarios. I'm spending about 50% of my time at work these days helping to build out our federation infrastructure and imagine that we'll be using it extensively. We are already doing some type of federation thing with over 30 vendor-hosted apps internally (benefits, travel, surveys, etc.). However, none of these implemenations are currently using any of the standard federation protocols (SAML, WS-Fed) and suffer from expensive implementations, no reusability between implementations and dubious security. We are also looking at hosting some services internally for clients and partners and using federation as a way to allow them to authenticate with their own credentials. The big challenges right now are that with both SAML and WS-Fed as the dominate protocols out there (and WS-Fed much further behind in terms of adoption rates, but gaining due to the popularity of AD and the low cost of ADFS compared to many solutions), it is hard to say you only want to do ADFS/WS-Fed. Our approach is to try to support both for the outbound scenario, where our users are accessing a partner resource, although we are still trying to pick a SAML 2 product yet. We'll probably be more picky about WS-Fed for the opposite scenario as our guys like to use Windows token-based websites (like SharePoint) for custom dev and only ADFS has a really flexible solution for supporting this. The big challenges are that right now, things are still pretty early adopter, so it is hard
RE: [ActiveDir] Enumerating Group type and Mebership...
Hello, First, please excuse my english written After, the script below enumerates all groups (and their members) of a user. Perhaps, this can help you for your needs Bye Set FSO = CreateObject(Scripting.FileSystemObject) Set WSHShell = WScript.CreateObject(WScript.Shell) Set WSHNetwork = WScript.CreateObject(WScript.Network) Set Drives = CreateObject(Scripting.Dictionary) Set Printers = CreateObject(Scripting.Dictionary) Set listegroupes = CreateObject(Scripting.Dictionary) 'Création d'un objet LDAP Set rootDSE = GetObject(LDAP://rootDSE) 'Création d'un objet connexion ADO Set Con = CreateObject(ADODB.Connection) 'Création d'un objet commande ADO Set ocommand = CreateObject(ADODB.Command) 'Récupération du domaine d'appartenance sDomain = rootDSE.Get(defaultNamingContext) Set domain = GetObject(LDAP:// sDomain) Nom_utilisateur=WSHNetwork.UserName Domaine_utilisateur=WSHNetwork.UserDomain if not(membrede(Nom_utilisateur)) then wscript.echo no group for user Nom_utilisateur ( Domaine_utilisateur ) else wscript.echo user Nom_utilisateur is member of : VBCRLF For Each Group In listegroupes.items wscript.echo group -- Group VBCRLF Next end if ' ROUTINES RECUPERATION APPARTENANCE GROUPE---' function membrede(nomuser) Con.Provider = ADsDSOObject Con.Open Active Directory Provider ocommand.ActiveConnection = Con 'build LDAP request 'initialize filter sfilteruser=((objectClass=user)(|(name= nomuser )(sn= nomuser )(sAMAccountName= nomuser ))) 'for user sfiltergroup=(objectClass=group) 'for groups 'attributes to return. sAttribsToReturn = memberOf 'pour retrouver l'attribut membre de... 'initialize deep. sDepth = subTree 'everywhere in domain 'direct membership macommand = domain.adspath ; sfilteruser ; sAttribsToReturn ; sDepth ocommand.CommandText = macommand Set rs = ocommand.Execute compteur=0 if (rs.RecordCount = 1) then rs.MoveFirst do mo=rs.Fields(memberof).value if not(IsNull(mo)) then For Each grp In mo listegroupes.add compteur,grp compteur=compteur+1 Next else membrede=FALSE exit function 'wscript.echo le compte nomuser n'appartient à aucun groupe vbcrlf end if rs.movenext loop while Not rs.EOF else membrede=FALSE exit function ' wscript.echo Petit problème end if 'indirect membership index=0 do macommand = LDAP:// listegroupes(index) ; sfiltergroup ; sAttribsToReturn ; sDepth 'wscript.echo macommand ocommand.CommandText = macommand Set rs = ocommand.Execute if (rs.RecordCount0) then rs.MoveFirst do mo=rs.Fields(memberof).value if not(IsNull(mo)) then For Each grp In mo listegroupes.add compteur,grp compteur=compteur+1 ' wscript.echo grp Next else 'wscript.echo pas de membre de pour: listegroupes(index) end if rs.movenext loop while Not rs.EOF else ' wscript.echo pas de record trouvé end if index=index+1 loop while (indexcompteur) for each cle in listegroupes grp=right(listegroupes(cle),len(listegroupes(cle))-3) p = Instr(1, grp, ,, 0) grp=left(grp,p-1) listegroupes(cle)=grp next membrede=TRUE end function ' FIN ROUTINES RECUPERATION APPARTENANCE GROUPE---' De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Mike Hogenauer Envoyé : mardi 25 juillet 2006 20:49 À : ActiveDir@mail.activedir.org Objet : [ActiveDir] Enumerating Group type and Mebership... All, Im trying to enumerate all groups in my AD environment. I need to get Group name group type and group members for each group Ive tried some sample VB scripts from http://www.microsoft.com/technet/scriptcenter/resources/qanda/apr05/hey0419. mspx Then I tried (below) but It still doesnt seem to pull back everything I need- Any help would be great! In a perfect world - J - I need a list of all security groups and distribution groups and their members Thanks, Mike Enumerate Security Groups and Member in Domain csvde -f c:\tmp\SecurityGroups.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=-2147483644)(grou pType=-2147483646)(groupType=-2147483640 -j c:\tmp Enumerate Distribution Groups and Member in Domain csvde -f c:\tmp\DistributionLists.csv -p subtree -l cn,mail,member -r (|((objectCategory=Group)(objectClass=Group)(|(groupType=8)(groupType=4)(g roupType=2 -j c:\tmp List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Local Groups vs Global Groups
Having went through this quite a bit recently, I'll see if I can give you some help on this. Every security group on a user's token adds about 45 bytes to the token and sometime around 80 security groups, you can expect a token to break 4k and bump up to 8k. This will have the most impact to Exchange until you bump up to Exchange 2007 and 64-bit OS. When debating between server local and domain groups (whether domain global or domain local), you have to decide between ease of management (domain groups) and ease on tokens (server local groups).Ideally, you will have an RBS model in place where a user is a member of a half dozen or so role-based groups which will grant access to shares instead of an Access Based Security (ABS) model. ABS creates a group (or groups) for each resource that needs access defined and then places all users and/or groups within that group. That's great in a user domain/resource domain architecture. If you don't have that though, you are just using a lot of redundant groups. I would recommend securing your shares and/or resources with role-based groups first, then if additional persons need access to a share or resourse, then grant them access through the ABS group at the domain level. Having to connect to 25 different file shares to manage share security is insane and nesting each group into 2-12 other groups ends up with a security model that quickly becomes very convoluted and difficult to map out. The one thing that an ABS model does do is make auditing access easier. But if you're making your day to day management of that model significantly more time consuming (by going with server local groups), then it's probably just easier to start defining items by RBS groups instead anyway. Not to mention that auditing server local groups is almost as much of a pain, if not more of one, as getting a tool that will go out and show you the share-level (or even file/directory level) ACLs ( www.winzero.ca has one).I know that MS recommends local server groups as an alternative when users end up with large amounts of security groups, but I feel that managing those objects is unwieldy enough (particularly in larger environments with a large number of file servers) to where you'd almost need to add a small team just to manage the shares. I'd rather double my number of Exchange servers and have everyone at an 8k tokens than add 4 employees at $x per hour just to manage server local groups. That's my take on it... I'm sure you'll end up with another 20 other opinions from 20 other people though. On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Domain Local Groups vs Global Groups
Somehow I avoided answring your question the first time...Going global role-based group and local task-based group is pretty standard in larger environments.You create the global group to hold users and the local group to hold users. The purpose for this is so that you can nest multiple role-based groups into your task-based group and quickly modify the task-based group and have it apply across the share/resource. The only problem with this model is being careful how you quantify when a new task-based group is needed. Be careful not to create a new task-based group (and similarly named role-based group for that task-based group) for everything under the sun or you'll find your users quickly becoming members through nesting of 100+ groups and finding your Exchange servers running out of paged pool memory space. There are plenty of articles on Microsoft's site about Exchange and paged pool memory, you can also look at the Exchange Team Blog site (msexchangeteam.com I think). On 7/26/06, Wyatt, David [EMAIL PROTECTED] wrote: I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
[ActiveDir] OT: HP disk array expansion
Hi,I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set.I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements.At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space.Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume.My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime.Anyway shed some light as to which is the best method to take?thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] OT: HP disk array expansion
James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4s. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Thursday, 27 July 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] OT: HP disk array expansion
If you do it that way, I would make sure youve got the network cable unplugged when you boot it after imaging. Depending on what you are using the server for it could cause problems. I had a customer follow this path with a domain controller. He booted the server from the old drives after copying the image to the new drive set, and then booted it from the new drives. Active Directory considered this an abnormal USN rollback, and gave him all kinds of fits. It took me at least an hour getting replication working again. Dont plug the network cable back in until you are sure you have the server ready to go. Kevin From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Blair, James Sent: Wednesday, July 26, 2006 4:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4s. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Thursday, 27 July 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] OT: HP disk array expansion
This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 3:52 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4s. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Thursday, 27 July 2006 7:36 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] OT: HP disk array expansion
Hi James, I can tell you that I'veused the method you were suggested below [replace one disk at a time] on a DL380 G1 running Windows 2003. I did exactly as you described, but I may have taken very slightly different steps afterwards (it's been awhile). After the disk swaps I think I expanded my existing array from ACU, and then ran DISKPART (in the 2003 OS) to extend the existing volume (basic disks). Anyway, it worked without a hitch in that scenario. -DaveC From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James CarterSent: Wednesday, July 26, 2006 5:36 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com To find out more about Reuters visit www.about.reuters.com Any views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Reuters Ltd.
[ActiveDir] Question on restricted group policy.
Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] Question on restricted group policy.
If you delete what? The GPO? Laura From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 7:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on "restricted group" policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] Question on restricted group policy.
When I wanted to do this with my domain workstations, I simply used a group policy object to deploy a startup script that added the proper security groups to the local administrators group. If I wanted to then remove these groups, I would simply edit the script and switch the /add to a /delete. net localgroup administrators DOMAIN\SECURITY GROUP /add to net localgroup administrators DOMAIN\SECURITY GROUP /delete Others may have an alternative solution, but that is what would work in my environment. ~Ben From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Strongosky Sent: Wednesday, July 26, 2006 4:08 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Question on restricted group policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] Question on restricted group policy.
This somewhat depends upon which side of Restricted Groups you're using (i.e. "Members of this Group" or "This group is a member of"). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on "restricted group" policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] OT: HP disk array expansion
I would use the ghost method, Ive done this numerous times with servers and never ran into a problem. All in all it really is a fast solution. And since youre doing it over the wire you can speed the process up by using gigabit components. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Derek Harris Sent: Wednesday, July 26, 2006 6:12 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion This sounds like the safest way to do it, but you will have some downtime. I've done it (on a Dell box) the way you described: swapping one disk at a time, and there is downtime that way, too. (in addition to the severe performance hit of the array having to rebuild several times) From: Blair, James [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 3:52 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] OT: HP disk array expansion James, Have been in a similar situation on numerous occasions with HP ML350 G3/G4s. In our case we installed a firewire card and a Lacie drive or utilised the native USB to portable HD and Acronis True Image. We imaged the disks and then pulled them out and put the new ones in and imaged it back, works nicelyThis solution even worked for an Exchange server and if it all fails you can simply put the old disks back in and be back where you started James From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Carter Sent: Thursday, 27 July 2006 7:36 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: HP disk array expansion Hi, I have a HP ML370 Proliant Server. It currently has 4 x 36GB in a RAID 5 set. I want to upgrade the disk capacity of this server. I have bought 4 x 300gb disks as replacements. At present I have 4 x 36GB disks in the server. I was told I couldreplace one disk in the RAID with a 300GB, let the raid rebuild and do the next disk.Repeat until all of the disks are 300GB and then I can look in the ACU and create a second logical drive that sees all that new space. Can this be done? Anyone know how long it would take to rebuild? currently there is 90gb used in the current volume. My other alternative is to buy a Tape Drive, backup, break array, create new array and then restore but this department don't want any downtime. Anyway shed some light as to which is the best method to take? thanks James __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
RE: [ActiveDir] Question on restricted group policy.
Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] Sent: Wednesday, July 26, 2006 5:23 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Question on "restricted group" policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. "Members of this Group" or "This group is a member of"). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com-- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on "restricted group" policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
RE: [ActiveDir] Domain Local Groups vs Global Groups
Title: Message Local groups are so 1990s grin because they exist on individual systems, they are virtually un-manageable (save via Restricted Groups policies). Fugghedaboutem. DOMAIN LOCAL groups are what you probably mean, or should mean. They exist as a single instance in Active Directory, instead of the multiple-local-groups-one-each-server model of NT4. The best practice in a SINGLE DOMAIN (or a single active domain with an empty forest root domain) is: Users à Global Groups - - - Global Groups à Domain Local Groups - - - Domain Local Groups à ACL Users go into global groups (which in Windows Server 2000 or greater domain functional level can be further nested into other global groups if necessary). Global groups nest into domain local groups. ACLs are assigned to domain local groups. In a multidomain forest, best practice is the above *OR* Users à Global Groups - - - Global Groups à Universal Groups - - - Universal Groups à Domain Local Groups - - - Domain Local Groups à ACL Or Users à Global Groups | Universal Groups à ACL Universal groups are really useful in multidomain forests for defining things like My Company Executives where each domain has a (global) Executives role defined, and those nest into a super group WHY this complexity? It yields optimal replication (though thats more of a technicality these days, in a single domain, since many/most organizations are making every DC a global catalog server). More importantly, it sets you up for effective role-based management in a dynamic enterprise. Domain Local Groups as the access group enable cross-domain access which may not seem important to you today (we have just one domain) but will become important the day theres a joint venture, acquisition, merger, etc If it seems to complex to figure out the why then stop asking and just do it ;-) There is no *technical* better or worse about ACLing resources to global groups. For that matter, you could ACL resources to each and every user. Why dont you do that? Because its obviously unmanageable. Doing it to global groups is equally, if not as obviously, unmanageable, particularly in the long term. That said, theres a very minor technical difference that deals with the size of your PAC in your Kerberos ticket, so please dont take me to the matt for not detailing that its technical more than practical. What should be driving your design is the need for ROLE BASED MANAGEMENT of your enterprise. Role based management, as far as resources goes, should be discussed in terms of Roles (people / groups of people) and Management (in this case, managing access to a resource). Roles define who someone is you could describe them by their roles (job, function, department, business unit, geographical location, seniority, etc.). Just so happens that roles should be defined using global security groups and yes, roles nest within roles (global à global) so your departmental management role groups might very well nest into a corporate managers role group. Say, for example, that you define your brokers as to whether they are just brokers (global group: ROLE_Brokers) or supervisors (ROLE_Broker_Sups). Lets say you also have a team of auditors (ROLE_Auditors) Management groups (for dealing with resource access, in this case) are typically domain local groups. But dont think of them as their technical scope (domain local) think of them as their purpose: to manage access to a resource. So, for example, if you have a share for your broker data, you might have the following resource access management groups that parallel specific access levels to that share: Ø ACL_BrokerData_Editors (ACL = a group for access control; Editors = MODIFY permission) Ø ACL_BrokerData_Contributors (Contributors = permissions to create new files/folders and to modify own creations; but read-only to other peoples stuff) Ø ACL_BrokerData_Readers (Read access) With those three resource access groups, you can manage access to that resource by defining which roles get what access. Nest your role groups into your management groups. (global à domain local, technically). So your business might lead you to say brokers can add things to this share and read but not modify other peoples stuff. That would be nesting Role_Brokers into ACL_BrokerData_Contributors. Role_Broker_Sups might be given modify permission by nesting them into ACL_BrokerData_Editors. And your auditors might be nested into the ACL_BrokerData_Readers group. You are now headed towards ROLE BASED MANAGEMENT. When an employee is promoted from broker to supervisor, you change their role membership (out of Role_Brokers, into Role_BrokerEditors) and voila, they now have access to this (and other) data store(s) based on the new roles access. Ideally, you tie your role groups to your HR system so that any change to roles of an employee are
RE: [ActiveDir] Domain Local Groups vs Global Groups
Title: Message Thats what I get for reading my inbox up David: do read my treatise in my earlier email. But Matt Hargraves response did raise the one technical issue I only alluded to: token size. Hes right to raise a flag about Exchange. Depending on the complexity of your role-based design and whether you use Exchange (2003 or 2000; 2007 seems to be exempt from this issue) and your Exchange architecture, you do have to watch for the number of total groups a user belongs to. A large number of group memberships will reduce the effective maximum users per exchange server level somewhat but whether that somewhat would be salient depends on several factors. To tie together what Matt discussed and what I proposed, my discussion lays out a design that integrates both RBS and ABS. You definitely want role-based management. Whether you also go to the level I outlined of managing ACLs depends on your environment: more resources; more complex security; and more spread out resources and youll be better served by the design I described. In a simpler environment (e.g. we have a departmental share with each department having a subfolder on the extreme side), you dont necessarily need the ABS layer. Dan From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Wyatt, David Sent: Wednesday, July 26, 2006 8:28 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Domain Local Groups vs Global Groups I'd be interested to hear peoples strategy for permissioning windows based file servers when the server is in a Windows 2003 domain. I have read the best practices about putting users into global groups then put the global groups into local groups then permission the resource with the local group. But: 1. Is it better practiceto put the domain local group into a local group on the file server and then use this local group to permission the share/folder? Is this excessive? I have read something about performance or avoiding limits by using the server local group when the access token is created. 2. What shortcomings would there be in putting users into global groups then simply permissioning the global group onto the resource. We only have a single forest/domain. I am also aware of Universal groups but lets put these to one side.for the moment..;-) Thanks David This message contains confidential information and is intended only for the individual or entity named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. This message is provided for informational purposes and should not be construed as an invitation or offer to buy or sell any securities or related financial instruments. GAM operates in many jurisdictions and is regulated or licensed in those jurisdictions as required.
Re: [ActiveDir] Question on restricted group policy.
>From my experience, Restricted Groups settings simply state what the computer (or domain controller if you stick the setting in your DCs GPO) will make sure what the group memberships are going to be when it checks the GPO. If you set the Administrators group to be Domain Admins; groupa; groupb then when the computer applies the GPO settings, it will check to make sure that the local Administrators group (Or domain group for a DC) contains Domain Admins; groupa; groupb; builtin\Administrator. Just so you know, like with any GPO setting, anyone who has the right to change that group can still change it, but when the GPO applies, the group memberships will be verified again, removing whatever was added, or adding whatever was removed. This may be 2 minutes later or 2 hours later. This is the same if you set a service to disabled an administrator can still change it to enabled, but when the GPO goes back through, it will re-disable the service (though if the user also started the service it will remain started until the computer is restarted or someone manually stops it). If you remove the GPO setting, then it simply won't check the group memberships for those groups any more. Or at least that's my interpretation. Kind of like when you move a computer out of an OU where there is a GPO applied to it and into an OU without any GPOs applied to it; it won't change the current settings, though you can now manually change them and they won't be reverted. I guess I think of a GPO being a Go make sure that everything is like this and if it isn't, make it like this kind of thing and that's the way I always see it actually get applied. If the GPO isn't there, then nothing gets altered to a previous state, but it won't continue reverting settings to what the prior GPO settings stated that they would be. On 7/26/06, Derek Harris [EMAIL PROTECTED] wrote: Yes -- I've done that, and that's how it worked for me. From: Darren Mar-Elia [mailto:[EMAIL PROTECTED] ] Sent: Wednesday, July 26, 2006 5:23 PMTo: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Question on restricted group policy. This somewhat depends upon which side of Restricted Groups you're using (i.e. Members of this Group or This group is a member of). If its the former, and you clear out the users in the list but leave the local Administrators group under control, then it will clear out the members of that local Admin group on the target machines (but will leave the local Administrator account in (always)). If the latter, and you clear out the members of the group, I think what you will find is that those users/groups are simply left in the group that you made them members of. If you simply delete or unlink the GPO, then the groups should be left the way they were before you deleted/unlinked it (i.e. the group membership changes do not get unapplied in the case of restricted group policy). Darren Darren Mar-Elia For comprehensive Windows Group Policy Information, check out www.gpoguy.com -- the best source for GPO FAQs, video training, tools and whitepapers. Also check out the Windows Group Policy Guide,the definitiveresource for Group Policy information. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of John StrongoskySent: Wednesday, July 26, 2006 4:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Question on restricted group policy. Hey, Created a restricted group policy for my domain that's adds some groups to the local administrators group of the workstations. My question is now management wants me to delete it. If I understand the way this works is that if I delete it then it will delete the groups that were associated with this policy thus leaving nobody in the local admin group. Am I correct... v/r john
[ActiveDir] Read-Only Domain Controller and Server Core
FYI: http://blogs.msdn.com/jolson/archive/2006/07/27/679801.aspx Read-Only Domain Controller and Server Core List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Domain Local Groups vs Global Groups
There are some considerations when you get to multidomain forests:Domain Global groups can only contain user or global group objects from the domain they actually reside within. In other words, if your global group resides within corp.company.com then you can have *only* members that are within the corp.company.com domain. They can be members of local groups in any other domain or universal groups anywhere within the forest though. They also will not allow universal or domain local group memberships. Thus, if you're going to have a multidomain forest, you will need to make sure that your role-based groups are inside your user domain and that you use those groups to sit in task-based groups (Domain Local groups). If all your DCs are also GCs (which there really is very little reason for them not to be, since you lose a good amount of performance by forcing authentication to go to a DC then to a GC to create a token -- if it can all be done on one machine, save yourself some headache later in life and make all your DCs GCs also). Universal groups are useful when you have groups that will be utilized to ACL items everywhere in the environment and no matter where the user resides, they will need that membership utilized. All Distribution List groups are automatically Universal, if I recall correctly. Universal groups can only contain users, global groups or universal groups from anywhere in the forest (or outside the forest). Local groups can have memberships of just about any type of object, no matter where it resides within the forest. However, you can only ACL items in a particular domain with a Domain Local group if that group resides in the same domain as the resource. There are a few different basic formats for multidomain forests...User/Exchange domain, resource domain(s). The nice thing about this model is that you only have role-based groups in your User/Exchange domain, so group memberships are relatively low and the Exchange Servers don't have much of a problem with their paged pool memory. You'll usually run into other barriers on your Exchange box before you run out of paged pool memory with this model. User domain, Exchange domain, Resource domain(s). I'm not really sure why anyone uses this model other than a lack of understanding of how tokens are created. Same as the above example, but you get to buy more DCs and your tokens in Exchange are probably actually larger than they would be in the above example. Multiple user/resource domains, single Exchange domain. Again, I think that this is another example of people who don't understand token creation same reasons as the immediately preceding example. Unless you have a lot of resources being accessed across domains (and cross domain memberships), you're probably just better off with a single forest root/domain structure than wasting money on extra DCs in this model. Then there is the standard single forest root/domain model that smaller companies go with. This has the wonderful elegance of simplicity. For the mostpart there is little reason to debate between global, universal and local groups other than making sure that you don't create local groups and try to nest them within global groups. For the mostpart, a security group is a security group is a security group in this model. You can ACL items with them and with the exception of nesting, there isn't a whole lot that you can do with one that you can't do with another. For more information about how a token is created, download the doc at the bottom of the following page: http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6-9346-89d577a3e74aDisplayLang=enFor more information on the differences between group types, go to: http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=trueGoing back to the conversations from before though, try and make sure that you actually create a good RBS model and *use* it. There is no reason to create a bunch of global groups for users (a site RBS group set, a job RBS group set, and a hierarchy RBS group set) then not using them and nesting all your users in every other global group you create. This conversation has gotten probably way more complex than you expected... hehe.That being said, I also like a combination RBS/ABS model myself. Use role-based groups to create your 'general' access to items and then when people who are outside those basic security groups, add them into ABS security groups for that resource. There are a few problems with this model in that you end up with a *lot* of groups, but the benefit is that your security model is able to adapt to the needs of the environment instead of making the environment adapt to your security model. You don't make your web servers run with IIS turned off because it's a security vulnerability, you just keep them in a DMZ or limit them to not being able to go outside the internal network. Don't make your security model limit your
