[ActiveDir] Group Management
Hi all, sorry up front for the long post. I'm curious how larger organizations manage groups in AD, with respect to authorizing users to be added to/removed from a group. I don't mean the security around the administration, but the supporting business processes and workflows. We've just centralized security administration, and this has created a problem with group administration on quite a large scale. Our security admins will get a request to add UserA to GroupA. Since they have inherited the job, there isnt a clear 'owner' of GroupA, be it an IT owner like the SQL group, or a business owner like the Radiology dept. If its a group that ultimately get you admin rights on all SQL servers or access to patient data...you can see the problem developing here. The problem is really two-fold, the security aspects, as well as the time it takes to complete the request. (multiply it by 1500 requests a day and the admins are really backed up) I'm wondering if anyone has had success with a self-service web-based request system, or something similar, and what made it successful? Ideally, the goal here is to get a detailed request into the admin group with all the info and approvals already in it. Thanks in advance, rb
RE: [ActiveDir] Event log settings in GPO
You may also want to take a look here if you're trying to make the event logs smaller, rather than larger, on Windows 2003 no SP. http://support.microsoft.com/default.aspx?scid=kb;en-us;824245 rb Rick Kingslan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 06/16/2005 04:06 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Event log settings in GPO Yes youre correct in that you can set this on a per OU basis with GPO. As Jorge points out, make sure that you are complying by the processing rules of the GPO list so that your settings are not reverted by another GPO inherited to that OU. Rick From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Cothern Jeff D. Team EITC Sent: Thursday, June 16, 2005 5:27 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Event log settings in GPO Just want to check to ensure. But I could say have a policy that is configured to set the maxsize of eventlogs to 128M and have that apply to a specific group so that the machines in that group are set to that size. And as long as this policy was set at the top of the list in GP mangement then that policy would take precendence over any policies under it. Correct. ?
[ActiveDir] LDAP Ping
Does anyone have detailed info on the LDAP ping that's done during the DC locater process (or some code that does it)? I'm putting together some performance baselines, and would like to use as similar a process to the real thing as I can. Also, I understand the DC response timeouts are different for 2000 and 2003 during the locater process...client version, not domain level, right? All the docs I can find only say 2000 and 2003, no mention of XP. Does '2003' mean XP also? Thanks, rb
RE: [ActiveDir] Privileged Service Accounts
Thanks Ken. We've done that with some of the accounts, but (for example) one of these accounts is for our own software distribution agent that runs on almost all our clients. rb Adams, Kenneth W \(Ken\) [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 04/05/2005 11:24 AM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Privileged Service Accounts What about setting the properties of these accounts to allow logon to only the machines you specify? There is a way in the properties of each account to specify the machines the accounts can logon to. The number of machine names you can specify is limited, so you will need to look closely at this option. Ken Adams -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 2:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Privileged Service Accounts We have a few privileged service accounts with known passwords (I know, we're working on it...) and I'm looking for a way to prevent these accounts from interactively logging on to client systems. The clients are NT4 through XP, in multiple domains\forests of multiple Windows versions, which are all trusted, of course ;-) The accounts are in a W2K3 AD with the objects themselves being secured. I'm thinking we have to resort to a logon script that logs the user off after some kind of warning, but I don't like it... Any ideas? Thanks, rb
[ActiveDir] User Migration...twice
Has anyone successfully migrated user accounts twice, while maintaining SID history both times? We had a group of users migrated from an NT domain to a W2K domain (with SID history, Quest Migrator). We now need to migrate them again from the (now) W2K3 domain to another W2K3 domain. Can we keep both SIDs as SID History? Thanks, rb
