Re: [ActiveDir] mailNickName(OT)
Now that I've shaken that turkey-induced coma: http://blogs.dirteam.com/blogs/al/archive/2006/10/05/History-Repeats-Itself.aspx I have to say though, I am a shy person by nature. Ask anyone that knows me and they'll tell you how shy I am in person ;) Albert, and anyone that reads the blog, I would appreciate comments. Anything I can do to make things better, I'm happy and eager to do. Al On 11/24/06, Albert Duro [EMAIL PROTECTED] wrote: Could I bother you for a link to your blog? Searching on 'al mulnick blog mailnickname' (and various combinations thereof) got me all kinds of stuff, none of which seemed to be what you're referring to. C'mon, Al, you gotta get over this shyness... - Original Message - *From:* Al Mulnick [EMAIL PROTECTED] *To:* ActiveDir@mail.activedir.org *Sent:* Wednesday, November 22, 2006 8:41 AM *Subject:* Re: [ActiveDir] mailNickName(OT) Other than being used for access by other protocols such as pop, imap, and owa, last I checked it's also the value used for the x.400 like address which is used for mail delivery internally by Exchange. You wouldn't want that to be non-unique else you might have to call somebody like joe to come in and help clean up :) I'm surprised that this company you're at has not gone to unique values for this. I'm equally surprised they don't have other issues with their Exchange deployment, but it's possible you haven't gotten far enough into it yet to notice some of them. I've blogged about my thoughts regarding what should be globally unique in an AD/Exchange environment. It's a long enough blog it may even be a good candidate for an essay or possibly a sleep aid. If you want the details, have a read. The short answer is that you want every user to be unique and to have a consistent and trouble-free experience. That keeps you from being up late at night with international customers first and your local in-country customers the next day. Mailnickname is one of the attributes that should be unique same as samaccountname and smtp address (some are enforced per forest, some per domain but all should be enforced regardless in my opinion). Since they can often feed on one another, I maintan that samaccountname should be the user's foundational, non-changing, never touched as long as that person is a member of the company in good standing, network id. Exchange relies on Active Directory and as such you're better following the same rules . Al On 11/22/06, joe [EMAIL PROTECTED] wrote: The mailnickname isn't populated in a similar way to display name. The common ways for mailnickname generation and its population are through the RUS, by CDOEXM, or by the special ADUC extension (and no ADUC doesn't use CDOEXM). This is unlike displayname which has ADUC as its common way to be populated. Certainly they could have done something like that but they didn't. Changing the format is ok, most companies don't do it but some do. But if there is going to be a change, change to something that is guaranteed to be unique in your organization. Display names are very often not unique; definitely not unique at scale which is why Al said, it don't scale Go to any larger company in the US and type in Smith, Jones, Brown, or Johnson in the GAL and you will likely see multiple Alan's, Andrew's, Amy's, Bob's, Carol's, Fred's, John's, Steve's, etc... If you are multi-national try Chang, Chen, Gupta, Singh, Lopez, Hernandez, Jannsen, Smit, Larsen, Berg, Schulz, or Schmidt. The attribute is used quite a bit in Exchange. Where all it is used I will let some Exchange person respond if they want, but look quickly at a mailbox enabled user and check how many times you see the value. Note that none of the other attributes that use mailNickname in their initial generation will change if you change mailnickname, you absolutely wouldn't want that or else it would break certain types of delivery for that user. I have seen some nasty issues in larger orgs that resulted in mailNicknames not being unique. The problems can be solved by mechanisms other than unique mailNicknames but unique mailNicknames is by far the easiest way to handle it. I have a tool that reports bad Exchange attribute settings in an Org and duplicate mailNickname is one of them that I flag as fairly high priority due to my experiences. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tom Kern Sent: Tuesday, November 21, 2006 10:07 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] mailNickName(OT) well, the company i currently work for sets the mailNickName of all users to firstname.lastname. I didnt know there was any issue with changing the format of that attribute. we have around 110,000 users mixed between Exchange and Lotus Domino and this is the format they have been using(why, i'm not
RE: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system
I agree with this..our production ESX infrastructure is based on 3 quad core systems..we haven't even come close to maxing the CPU's or memory but disk i/o is getting high.. Nathan Casey Network Analyst WGS-ISD County of Sonoma [EMAIL PROTECTED] (707) 565-3519 [EMAIL PROTECTED] 11/22/2006 10:41:11 AM A pair of quad cores is a lot of horsepower for testing. I suspect you will run out of disk i/o perf and memory long before you encounter the need for a second quad core chip given the scenarios you've described. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Wednesday, November 22, 2006 8:55 AM To: activedir@mail.activedir.org Subject: [ActiveDir] OT: Exchange 2007 and W2K3 R2 DC's on ESX - Optimal lab system I posted this on the VMWARE forum as well but I am very interested in the opinion of the people who post to this list and there must be some people with hands on experience with ESX and DC's and Exchange 2007 running on VM's on top of ESX 3.0.1. I am interested in the following: We will be buying a Dell PowerEdge 2900 with either 1 Quad Core processor at 2,33 GHz or 2 Dual Core processors at 2,33 GHz. We will be using this machine in a test lab only and will be testing mainly Exchange 2007 and simulating AD issues. We would like to deploy ESX 3.0.1 (or the newest versionwith several Exchange 2007 VM's and several W2K3 R2 Domain Controller VM's on it. We are doubting between the following configurations, both DELL 2900's. We will unfortunately only be buying one system so we definately need to make the right choice. As I said we want to buy a system with either 2 Dual Cores or 1 Quad Core, see here under: - 1 Quad Core 2.33 GHz Processor, Xeon 5345 - 2 Dual Core 2.33 GHz Processors, Xeon 5140 Both systems will have 8 GB of 667 MHz RAM to start with. We have contacted Dell and we were told that the 5345 Xeon will be available in January at the latest. We dont really care about the price at this moment. The first thing that comes to mind when making a choice, to me is the fact that if one Quad would not be enough, we could always plug in another one :-) at a later time. Any suggestions are greatly appreciated. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Scaling up with AD or ADAM?
From a pure LDAP perspective you can expect similar perf numbers on AD vs. ADAM. For medium sized directories (like 10M) I'm of the opinion that there isn't a huge advantage to ADAM over AD. When you get larger (high tens of millions to hundreds of millions or billions), ADAM gets more interesting. I would note that I tend to look at AD vs. ADAM with an eye on AD as the 'default' choice, more often than not. This stems from a more rich protocol stack on AD (Kerberos, etc.) which is only helpful. ADAM has a more constrained protocol stack. If you have entirely home grown apps this is less interesting, but if you think you might use vendor specific apps this can only help. Not trying to downplay ADAM, just want to make sure you pick the right technology for your job. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, November 24, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Scaling up with AD or ADAM? I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Thu, 23 Nov 2006, Joe Kaplan wrote: That's a classic scenario for ADAM. I wouldn't use AD for that as you just need bind auth for users of a web app. AD actually gives you a ton of stuff you don't need and some additional complexity. ADAM scales the same as AD, so there is no advantage from a scale point of view to use AD. I'm not sure how you would achieve the goal of the archival users in a separate directory as I don't know how you'll be able to migrate the password data in ADAM to another ADAM store. There might be a way, but I'm just not sure. I'd suggest reading up on Eric Fleischman's blog to find out some interesting stuff on ADAM perf and scale. The bottom line is that as long as you have the disk and the CPU to handle the data store, you shouldn't have any problem with an ADAM instance that size. You are many orders of magnitude away from the actual limits in the system. As I am now a huge fan of federation technologies, I feel I would be remiss if I didn't suggest the possibility of adding that into the mix with ADFS. It can make a nice wrapper around your ADAM instance to serve as an account store and having federation capability gives you an easy way to link in identities from within the enterprise
Re: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
As per normal it's probably wrong. Intuit's developers AND support folks are clueless when it comes to permissions. Their answer when I escalated a case about Quickbooks 2006 Enterprise users needing Power User rights was that they really just needed Full Controll over HKCR! (The audacity of calling a product Enterprise and requiring elevated privileges on terminal services didn't seem to make much impact with them) I told them to shove it and tracked down the two keys outside HKLM\Software\Intuit that they actually needed. From what I remember you could get around the licensing problem by copying the license files to each users profile under the appropriate path, doesn't look like that would be true for this version though, so they have actually made negative progress in that regard. Thanks, Andrew Fidel Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/23/2006 01:33 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCONTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted+-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1. Right-click on the Start button and select Explore. 2. Navigate to each first folder on the list above. 3. Right click on the folder and select Properties. 4. Click on the Security tab. 5. Select Everyone in Group or user names. Note: If Everyone is not listed in that window, click on Add, then type in Everyone in the Enter the object names to select and click OK. If the Multiple Names Found box pops up, select Everyone and click OK. 6. Add a checkmark to the Full Control checkbox and click OK. 7. Repeat steps 1-6 for each folder on the list above. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] OT: Quickbooks really and truly will run without Admin rights
I've been to their headquarters in the San Jose area and had meetings with some of their networking folks. Give them a chance. Seriously. They are dead serious about supporting non admin and Vista. Granted Vista is pushing that in a big way... but I've had enough meetings and calls to give them the benefit of the doubt this time. For me... this is the bellweather tipping event in "non admin" world. >From now on I can say to folks "Well Intuit goes on record as supporting Non-admin... why can't you?" This is one of THE major vendors in my space and they've come out on record as no longer demanding admin rights. That's a huge move in my book. Don't discount the impact, nor the fact that they are now setting a good example for other vendors. Not to mention, I've personally tested this (and found the 'dat' bug myself). I can attest that it works. P.S. If you ever have an incident with a clueless support tech... holler ... as I have ways to get feedback back to folks. [EMAIL PROTECTED] wrote: As per normal it's probably wrong. Intuit's developers AND support folks are clueless when it comes to permissions. Their answer when I escalated a case about Quickbooks 2006 Enterprise users needing Power User rights was that they really just needed Full Controll over HKCR! (The audacity of calling a product Enterprise and requiring elevated privileges on terminal services didn't seem to make much impact with them) I told them to shove it and tracked down the two keys outside HKLM\Software\Intuit that they actually needed. From what I remember you could get around the licensing problem by copying the license files to each users profile under the appropriate path, doesn't look like that would be true for this version though, so they have actually made negative progress in that regard. Thanks, Andrew Fidel "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] " [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 11/23/2006 01:33 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject [ActiveDir] OT: Quickbooks really and truly will run without Admin rights http://www.quickbooks.com/Helpcenter/DoSearch.aspx?docType=DT_APPROVEDCONTENTq=QuickBooks+2007+will+not+run+if+the+Windows+user+is+a+Restricted+-+Standard+Userp=SG_QuickBooksPremier2007 KnowledgeBase Support Title: QuickBooks 2007 will not run if the Windows user is a Restricted - Standard User KB ID#: 1000152 Overview: The information below is in regards to QuickBooks 2007 not running with Windows users who have been granted with restricted - standard user permissions: When starting QuickBooks, it flashes and goes away. It sometimes shows the following error message and then goes away. LicenseUtility.cpp (888) : MESSAGE: Fri Oct 06 12:18:51 LVL_FATAL_ERROR--QuickBooks has encountered a problem. Close all open applications and restart QuickBooks. If the problem persists, insert the QuickBooks CD into your computer and then reinstall the software. If you encounter the problem again, contact Technical Support. QuickBooks runs normally if the Windows user is an administrator. The folder permissions may have been changed by the domain policy so that QuickBooks cannot access some of the required folders under C:\Documents and Settings\All Users. Make sure that the following folders have Full Control for Everyone: * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client\v3 * C:\Documents and Settings\All Users\Application Data\Intuit\Entitlement Client * C:\Documents and Settings\All Users\Application Data\Intuit\QuickBooks Enterprise Solutions 7.0 (or C:\Documents and Settings\All Users\Application Data\Intuit\Quickbooks 2007) * C:\Documents and Settings\All Users\Application Data\Common Files\Intuit * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Company Files * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\FAM06 * C:\Documents and Settings\All Users\Documents\Intuit\QuickBooks\Sample Company Files\QuickBooks Enterprise Solutions 7.0 Please follow the steps below to change folder permissions: 1.
[ActiveDir] Exchange 2003 management tasks overview
I am looking for an overview with all Exchange 2003 management/support tasks in it. Something like a large Excel sheet for instance. So far I have looked in the Exchange Administration Guide and the Operation Guide and there is a lot in there, like tasks and checklists and so on. I would have to go through the entire document and pick here and there some tasks out of there, the tasks have not really been summed up nicely. Is there something like an already made overview out there. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
Re: [ActiveDir] Exchange 2003 management tasks overview
You could do worse than the Exchange Server Cookbook. It's got most of the common management and support tasks. There is no spreadsheet showing all the tasksbut there is an index :-) http://www.oreilly.com/catalog/exchangeckbk/ Tony -- Original Message -- From: Victor W. [EMAIL PROTECTED] Reply-To: ActiveDir@mail.activedir.org Date: Mon, 27 Nov 2006 21:40:32 +0100 I am looking for an overview with all Exchange 2003 management/support tasks in it. Something like a large Excel sheet for instance. So far I have looked in the Exchange Administration Guide and the Operation Guide and there is a lot in there, like tasks and checklists and so on. I would have to go through the entire document and pick here and there some tasks out of there, the tasks have not really been summed up nicely. Is there something like an already made overview out there. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ Sent via the WebMail system at mail.activedir.org List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] Selective auth, allowed to auth right, group policy
I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Selective auth, allowed to auth right, group policy
GP is unnecessary, simply add the extended right at a suitable OU (as you inferred) ... you'll need the advanced ACL editor dialog to do so ... look carefully, it's there. -- Dean Wells MSEtechnology t Email: [EMAIL PROTECTED] http://msetechnology.com -Original Message- From: [EMAIL PROTECTED] [mailto:ActiveDir- [EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, November 27, 2006 8:29 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Selective auth, allowed to auth right, group policy I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Selective auth, allowed to auth right, group policy
http://technet2.microsoft.com/WindowsServer/en/library/b4d96434-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true You owe me a beer for making me do your google :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie Kaiser Sent: Mon 11/27/2006 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Selective auth, allowed to auth right, group policy I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
[ActiveDir] RE: [ActiveDir] Selective auth, allowed to aut h right, group policy
? That shows how to do it on a per-computer basis. I found lots of references to that on Google before posting. ;-) Finding a GP way to do it eludes me, but Dean's suggestion has probably led me to a non-GP way to do it once at the OU level. It took me a while to find it even with his suggestion, but once I changed the advanced ACL editor to computer objects instead of child objects, the allowed to auth right appeared. Heck; I'll still buy you both a beer for helping me out at this hour. :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, November 27, 2006 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Selective auth, allowed to auth right, group policy http://technet2.microsoft.com/WindowsServer/en/library/b4d9643 4-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true You owe me a beer for making me do your google :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie Kaiser Sent: Mon 11/27/2006 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Selective auth, allowed to auth right, group policy I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] RE: [ActiveDir] Selective auth, allowed to auth right, group policy
Actually, the article shows how to do it at the container level also. They are just missing the extra step of going into Advanced view. Glad to know that you are not going to try to wiggle out of the beer. I put it on your tab ;) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Charlie Kaiser Sent: Monday, November 27, 2006 6:30 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] RE: [ActiveDir] Selective auth, allowed to auth right, group policy ? That shows how to do it on a per-computer basis. I found lots of references to that on Google before posting. ;-) Finding a GP way to do it eludes me, but Dean's suggestion has probably led me to a non-GP way to do it once at the OU level. It took me a while to find it even with his suggestion, but once I changed the advanced ACL editor to computer objects instead of child objects, the allowed to auth right appeared. Heck; I'll still buy you both a beer for helping me out at this hour. :-) ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Akomolafe, Deji Sent: Monday, November 27, 2006 6:49 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Selective auth, allowed to auth right, group policy http://technet2.microsoft.com/WindowsServer/en/library/b4d9643 4-0fde-4370-bd29-39e4b3cc7da81033.mspx?mfr=true You owe me a beer for making me do your google :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.akomolafe.com x-excid://3277/uri:http://www.akomolafe.com - we know IT -5.75, -3.23 Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: Charlie Kaiser Sent: Mon 11/27/2006 5:28 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Selective auth, allowed to auth right, group policy I have to add the allowed to auth right to a large number of workstations so that workstation admins from another domain can access them. Instead of adding that right to each computer object, is there a way to do it with group policy at the OU level? I haven't been able to find it. It's a painful manual process. We're using a selective auth external trust between forests. For other reasons, we can't set up a normal trust. Thanks... ** Charlie Kaiser W2K3 MCSA/MCSE/Security Systems Engineer Essex Credit / Brickwalk 510 595 5083 ** List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir@mail.activedir.org/
RE: [ActiveDir] Scaling up with AD or ADAM?
Thanks, Eric. We're looking at a scenario where all apps would be web based, with AD or ADAM holding authentication and authorization data. It's a bit early going, so I'm not sure about the app mix yet (neither is the customer, I think). :-) Good to know that we can scale up with either AD or ADAM. Do you have a sense of how many LDAP binds / authentications per second a typical Win2k3 server can handle? (order of magnitude stuff...) Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. On Mon, 27 Nov 2006, Eric Fleischman wrote: From a pure LDAP perspective you can expect similar perf numbers on AD vs. ADAM. For medium sized directories (like 10M) I'm of the opinion that there isn't a huge advantage to ADAM over AD. When you get larger (high tens of millions to hundreds of millions or billions), ADAM gets more interesting. I would note that I tend to look at AD vs. ADAM with an eye on AD as the 'default' choice, more often than not. This stems from a more rich protocol stack on AD (Kerberos, etc.) which is only helpful. ADAM has a more constrained protocol stack. If you have entirely home grown apps this is less interesting, but if you think you might use vendor specific apps this can only help. Not trying to downplay ADAM, just want to make sure you pick the right technology for your job. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Friday, November 24, 2006 8:21 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Scaling up with AD or ADAM? I personally don't have any experience with ADAM at big scale, but I've heard of some really large deployments. Eric might be able to share some stories. I wouldn't be concerned about the underlying technology, as it is all based on the AD core and is quite solid and mature. I have no experience on IBM TAM, but I'd hope it can integrate with normal LDAP stores. As such, I think it should work. There probably won't be any support in the product for ADAM/AD features like fast concurrent binding that might help improve your auth performance, but that might not be a huge deal. I don't think ADFS uses that either. :) Joe K. - Original Message - From: [EMAIL PROTECTED] [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Thursday, November 23, 2006 10:24 PM Subject: Re: [ActiveDir] Scaling up with AD or ADAM? Thanks, Joe. I'll look up Eric's blog for metrics and such ASAP. :-) I was thinking ADAM was the likely choice - just wasn't sure how much production experience folks had with it (it's still new-ish), or quite how to size it. Re federation - that looks like a subsequent phase, and ADFS definitely came to mind. This customer has some IBM TAM kicking around, so that's another choice. Later, in either case. Migrating users from the live directory to the archival is no big deal -- the reason we're engaged is to put our provisioning and password management technology in. BTW - anyone here integrated TAM (Tivoli Access Manager -- IBM's WebSSO) with ADAM? Any pointers or horror stories we should know about? Cheers, -- Idan Shoham Chief Technology Officer M-Tech Information Technology, Inc. [EMAIL PROTECTED] http://mtechIT.com Visit M-Tech at the Gartner Identity and Access Management Summit: http://www.gartner.com/2_events/conferences/iam1_section.jsp November 29 -- December 1; Las Vegas; Booth D. +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- +-+- Visit M-Tech at the FinSec trade show: http://www.misti.com/default.asp?Page=65Return=70ProductID=5305 December 4 -- 5; New York The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this