RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Right there with you Rick... Unfortunately some of the things previously chosen will be difficult, I think, to dig themselves out of. Most notably around the perms and such. There are actually things they could do in the E2K product if they would just be willing to *officially support* deviations to the main product design that came out so long ago. Like for instance all of the crappy LDAP filters and the perms that are put down by default. I would like to change a lot of those perms and filters because I think they could work (better in all cases) in other ways but the instant I start to mention them PSS Alliance starts running around with their hands in the air saying "That isn't supported that isn't supported". I do understand their point but, in my opinion,it comes down to not having a complete understanding of the product and how it works. Heck if I had a product I only knew how to support when someone was doing exactly what the book says I would be leary to let them deviate as well. Unfortunately the book wasn't written for any large company so the chapters are still being written and the PSS guys aren't the authors. Some of the things I have heard out of PSS Alliance Exchange to explain things has been bordering on insanely ludicrous so I am now at a point where when I hear"that is unsupported"Ilaugh and say what else is new?Many times when we have an issue it seems we dig ourselves out and then explain to MS how we did it, we actually prefer that our onsite Exchange PSS guy not be around when we are figuring problems out as we move faster. We pull him in when we need something sent back inside to MS. I think that they probably do very well with smaller cookie cutter installations that do everything the MS way butonce you get into the custom designed environments we might as well just have the QFE coders or Product Team with us because that is where all the questions go any way only we usually have to wait until the local PSS or the Texas PSS guys feel it should go to QFE or Product Team. We had another fun one this week. Originally it was said that the ADC install would need Ent Admin access ONLY for the first ADC install. Now we send some guys to England to set some stuff up and the day before they go the MCS guy comes to me and says hey I have some bad news. It seems the docs are wrong, we need Ent Admin access to install the ADC over in Europe... Very frustrating. Anyway, I think Exchange Servers and the other Exchange groups have far too many perms right off the bat from the forest and domain preps. Obviously the property set setup is completely cockeyed. Having to give the app Manage Replication Topology rights is a bit much but that is partially the AD team's issue because of how they designed the perms for that or at least exposed the perms for that. Because Exchange feels it OWNS the directory (heck it came from Exchange so they should own it huh?) they feel that it is fine that they get any and all perms into it and surrounding it. I don't think I have seen an LDAP Query yet that I would consider good. Usually there is a caveate that it shouldn't have many records to choose from *most of the time*. All basic things that they should be able to tweak whether prior to the forest prep or after, they are things that they could change and MS should be able to support if they had a stronger understanding of how it all worked within PSS. I think one thing that might help with dev work around MS would be to take away admin rights from all of the developers. Make them work as non-admins and figure out how to do things when you aren't god on a system. I would expect their designs would change radically. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Thursday, August 28, 2003 12:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Brian, Thanks for this. This is a step in the right direction. And, to me at least, this proves that the Exchange architects and developers _ARE_ capable of learning and listening - I just question that they are really applying the effort in the right areas. Until I see some real improvment in the ACE/ACL/Delegation methodology, I'm still really skeptical that they get it at all. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, BrianSent: Thursday, August 28, 2003 10:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url="">
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From: Joe [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 27, 2003 8:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc.
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Brian, Thanks for this. This is a step in the right direction. And, to me at least, this proves that the Exchange architects and developers _ARE_ capable of learning and listening - I just question that they are really applying the effort in the right areas. Until I see some real improvment in the ACE/ACL/Delegation methodology, I'm still really skeptical that they get it at all. Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, BrianSent: Thursday, August 28, 2003 10:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From: Joe [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 27, 2003 8:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadS
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Thanks Brian. We knew about this, unfortunately doesn't help us right now. I would love to drop E2K and go to E2K3 as there are several supposed fixes, but we are too deep in now. Just the discussion of it scares our onsite MS people. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Narkinsky, BrianSent: Thursday, August 28, 2003 11:30 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p NOt an E2K answer but in E2K3 there is a WMI method to do this. http://msdn.microsoft.com/library/default.asp?url=""> -Original Message-From: Joe [mailto:[EMAIL PROTECTED]Sent: Wednesday, August 27, 2003 8:06 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified front end to distict back ends. I mean, can you imagine build your own folders?? select mailfrom, subject, date, size from email_messages where mailfrom = [EMAIL PROTECTED] Or would that be: delete from email_messages where mailfrom = [EMAIL PROTECTED]... -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) Microsoft has this new, cool DB technology that is being used in: * Yukon - the next version of SQL Server * Longhorn Client for the file system (WinFS) * Future server versions for AD database (Longhorn server, Blackcombe - you figure it out) * Future versions of Exchange for store database * etc, etc, etc. Now, one might this that this is all really suprising and a sweeping change. And, by some rights, it is. But, if you take a look at the store and AD (ntds) database today - they're very much the same; and strikingly similar to SQL 2000. The big change is really the file system. So, to say that Exchange is going to be based on SQL, yeah, that's pretty much true. But, then, so will AD, and WinFS - but SQL will be based on a base technology that is shared amongst the entire server family. I haven't had the DBAs over lately trying to convince upper management that they own Exchange or AD - and that's not likely to happen in the next iteration, either. Do I think that you need to get to know Yukon (which will likely be the first PUBLICLLY available (not beta, not preview) code of the next gen database, um. Yeah. That might be a really good idea. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costanzo, Ray Sent: Tuesday, August 26, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Darn that Bill... I guess he didn't sign the NDA... -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message We have MCS and MSPSS Alliance Premier. I realize we have a largeunusual non-homogenius environment but we have encountered many who say it isn't a problem until they get into it and then realize the questions we ask aren't questions normally asked and that we don't just give out tons of rights and permissions to anyone who needs it. I guess one I'll ask you right off is how do you reconnect amailbox thatwas disconnected w/o using the GUI? I.E. Something scriptable in E2K. We have hundreds of thousands of users with mailboxes and many leave and come back and so forth. Any answer for any problem that involves the GUI is almost always immediately wrong. Yet, there is very little docs on how to do everything an E2K admin would have to do without using the GUI's to do it. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Wednesday, August 27, 2003 7:04 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You're not looking under the right rocks for the Exchange talent then ;) There is a significant percentage of "Exchange admins" out there that don't understand it, but there are some really, really sharp ones who understand it quitewell. Roger -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:23 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Well isn't NTFS or really any file system really a simple database? The way it is looking to me is not so much SQL everywhere! but WinFS everywhere!. And WinFS has borrowed heavily from SQL technology. Not sure I am using WinFS right here maybe... WinFS is just the CIFS/SMB/drive letter interface to this new technology. But I am calling this new technology WinFS for now. The question to me is how will the systems really look? I mean will WinFS simply be an NTFS partition with a Database on it? That is basically a SQL database. Or will WinFS basically be a partition with no NTFS. That is a file system unto itself. Brian -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 27, 2003 7:00 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Its absolutely going to be a fun ride, that's for sure. I'm VERY interested in seeing how they choose to overcome the inherent limitations in the structured vs. unstructuctured debate. I'm starting to be of the opinion that structured data storage is going the way of the dodo - again because of increases in raw horsepower, the speed benefit provided by structured storage might no longer be worth the distiction. That being said, technically NTFS IS structured storage - I burn a cluster no matter how small the amount of data being stored. So that begs the questions of can we make everything fit into a reasonable structured storage model? (answer is obviously yes) and Can we make the structure modifiable? (I'd assume yes). The latter question is akin to saying Can we make hard drive clusters in different sizes? That's been done for 20+ years, IIRC. So maybe the future engine is SQL server with variable page sizes rather than fixed 8k pages. Maybe going as far as different page sizes per database - where a database could be a file system or anything else for that matter. Interesting indeed. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 6:15 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p True enough, Roger. I won't in any way disagree that this was the case. But, there have been some changes - rhetoric or not, I can't say. But, we were told in what is now a public transcript that the future database technology that would be first introduced in Yukon would be pervasive throughout the server line, and most prevalent in the AD database and the Exchange stores. Granted - I know the issues with database technology and the limitations. Hence, one of the reasons that I am so interested to see the 'preview' release of the Longhorn code as the WinFS should be a telling factor as to how far they really do have to go. Now, are there going to be derivations (hence structured, unstructured)? I suspect yes. Clearly, the EDB that is used for NTDS is similar but not the same as that used for Exchange. And, do I think that exposing an interface such as what you describe for doing the work that we do would be unwelcome? In fact, I think that it would have over-whelming acceptance from the Professional maintainers such as ourselves - as long as there was the 'dumbified' interface for everyone else and for the one-off chores. To say the least (as if it's not always) the next few years are going to be very interesting as these products develop. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger Seielstad Sent: Tuesday, August 26, 2003 2:34 PM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p The actual prognostication I heard at a Windows NT5 preview (pick your date based on *that* statement) was that we'd have two data stores - one for structured (i.e. SQL) data and the other for unstructured (i.e. email, files, etc) data. So, the idea was that NTFS (version ??) would handle email storage. Think of what's out there with RIS today for SIS in a file tree - but on a full filesystem scale. There's a performance penalty, quite significantly so, for variable length fields, in databases. At some point, the system bus speeds will stop being the bottlenecks, and they'll have to consider issues like in building data stores. The published information has led me to believe that its more a data storage strategy rather than a product. I also think that there's a difference between the front end and back end technologies, and significant benefits to be had from building a unified
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all tongue Firmly in Cheek Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Theirseems to be one case that E5.5 does have them and itappears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NTNative Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message See! You're just that good! :P Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone P.S. Wow - that number just struck me - 900 DLs to 1200 users. Ouch! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 6:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all tongue Firmly in Cheek Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Theirseems to be one case that E5.5 does have them and itappears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NTNative Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands ofmachines). With W2K3 we will probably end up looking atUni's again because at least the replication piece is better but I really do not see the purpose in replicating member i
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Let's not forget about SQL Server here, which will replace Exchange. Ray at work -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) Microsoft has this new, cool DB technology that is being used in: * Yukon - the next version of SQL Server * Longhorn Client for the file system (WinFS) * Future server versions for AD database (Longhorn server, Blackcombe - you figure it out) * Future versions of Exchange for store database * etc, etc, etc. Now, one might this that this is all really suprising and a sweeping change. And, by some rights, it is. But, if you take a look at the store and AD (ntds) database today - they're very much the same; and strikingly similar to SQL 2000. The big change is really the file system. So, to say that Exchange is going to be based on SQL, yeah, that's pretty much true. But, then, so will AD, and WinFS - but SQL will be based on a base technology that is shared amongst the entire server family. I haven't had the DBAs over lately trying to convince upper management that they own Exchange or AD - and that's not likely to happen in the next iteration, either. Do I think that you need to get to know Yukon (which will likely be the first PUBLICLLY available (not beta, not preview) code of the next gen database, um. Yeah. That might be a really good idea. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costanzo, Ray Sent: Tuesday, August 26, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Let's not forget about SQL Server here, which will replace Exchange. Ray at work -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Wow ... Didn't know my original question was so deep! :) BRian -Original Message- From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 2:29 PM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Well, let's be a bit cautious on that statement. What I understand to be the case is that: (and this is widely publicized - I was put under severe NDA - then Bill Gates talked about it 1 day after I was threatened within an inch of my life.) Microsoft has this new, cool DB technology that is being used in: * Yukon - the next version of SQL Server * Longhorn Client for the file system (WinFS) * Future server versions for AD database (Longhorn server, Blackcombe - you figure it out) * Future versions of Exchange for store database * etc, etc, etc. Now, one might this that this is all really suprising and a sweeping change. And, by some rights, it is. But, if you take a look at the store and AD (ntds) database today - they're very much the same; and strikingly similar to SQL 2000. The big change is really the file system. So, to say that Exchange is going to be based on SQL, yeah, that's pretty much true. But, then, so will AD, and WinFS - but SQL will be based on a base technology that is shared amongst the entire server family. I haven't had the DBAs over lately trying to convince upper management that they own Exchange or AD - and that's not likely to happen in the next iteration, either. Do I think that you need to get to know Yukon (which will likely be the first PUBLICLLY available (not beta, not preview) code of the next gen database, um. Yeah. That might be a really good idea. Rick Kingslan MCSE, MCSA, MCT Microsoft MVP - Active Directory Associate Expert Expert Zone - www.microsoft.com/windowsxp/expertzone -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Costanzo, Ray Sent: Tuesday, August 26, 2003 11:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Let's not forget about SQL Server here, which will replace Exchange. Ray at work -Original Message- From: Roger Seielstad [mailto:[EMAIL PROTECTED] Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. ** The information contained in this e-mail message is intended only for the personal and confidential use of the recipient(s) named above. Distribution, publication, or retransmission of this message is strictly prohibited. This message may be a bank to client communication and as such is priviliged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately by e-mail, and delete the original message. The sender of this e-mail specifically opts-out of the Electronic Signatures and Global and National Commerce Act (E-Sign) and any and all similar state and federal acts. Accordingly, but without limitation, any and all documents, contracts, and ageements must contain a handwritten signature of the sender to be legal, valid, and enforceable. ** List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/mail_list.htm List FAQ: http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message H Not sure I can stand behind that *best* statement without listing caveats until next April. Also I can't seem to find many people who really understand it other than when to toss the chicken bones around which I don't consider truly understanding. Most of the responses we get when asking questions like WHY about Exchange are responses of JUST BECAUSE or BECAUSE PSS SAYS SO. Personally I kind of liked MSDOS and the built in BASIC Interpreter - Go Bill!. :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 11:05 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Scary part is that Exchange is still one of the best products Microsoft's ever put out. Just takes someone who really understands it to run it.. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Tuesday, August 26, 2003 8:15 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Seemslike someone invent a lotion or something to help with Exchange... I mean come on we have lotions for poison ivy and rashes and other nasty annoyances... Hello Dr... I have a really nasty case of Exchange 2K, it really itches, can you help me out here? :op -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Tuesday, August 26, 2003 7:12 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p See, here's the part you don't get - I AM the Exchange admin. I think the ratio was actually a bit higher - like 900 DL's to 1200 Users, or something close to that. I'm still cleaning up that mess, and that was two Exchange orgs ago! -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Rick Kingslan [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 5:30 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all tongue Firmly in Cheek Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Theirseems to be one case that E5.5 does have them and itappears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Theirseems to be one case that E5.5 does have them and itappears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NTNative Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands ofmachines). With W2K3 we will probably end up looking atUni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick KingslanSent: Sunday, August 17, 2003 11:43 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group Hmmm. Well, I guess whatever works for you. I just know that I have a heck of a time with UPN resolution taking a long time with our IOCs - yes, some are in their own forest with Trusts. But, I just can't imagine all of the explicit grants. Maybe I'm just a bit backward but I haven't really found it all that tough to track any one user's permission and membership trail to the point were I wouldn't want a Global group managing the cross domain 'collection' of users. And, the only denies that I have are on IIS servers. I don't know of another deny in our entire structure. But, then - you're dealing with something that, as I remember - is about 7 times as large as mine. But, then, I am the guy who forgot that DC Administrators group and a member server local Administrators group weren't actually the same thing. So, what do I know ;-) Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP -
RE: [ActiveDir] Add junior admin to Local workstations admin grou p
Title: Message Roger! Hah! Got you beat! We've got exactly two Dist Groups PER USER! And, 90% of them are Unis! Our Exchange Admins are just THAT good! (I finally outdid Roger on something!) Yes - this is completely all tongue Firmly in Cheek Rick Kingslan MCSE, MCSA, MCTMicrosoft MVP - Active DirectoryAssociate ExpertExpert Zone - www.microsoft.com/windowsxp/expertzone From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Roger SeielstadSent: Monday, August 25, 2003 4:06 PMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p You don't have Ex Dist Groups?? At one point I had 1 DL for every 1.25 users. -- Roger D. Seielstad - MTS MCSE MS-MVP Sr. Systems Administrator Inovis Inc. -Original Message-From: Joe [mailto:[EMAIL PROTECTED] Sent: Monday, August 25, 2003 4:41 PMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p We don't let the ADC create groups. Our 5.5 Architecture doesn't really use Dist Groups. Theirseems to be one case that E5.5 does have them and itappears from conversations today that we will have to create two Universal D/S Groups used to manage two groups of conference rooms. It seems that PSS will not support use of DLG's and have no clue what could happen if they were used. -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Coleman, HunterSent: Monday, August 25, 2003 10:26 AMTo: '[EMAIL PROTECTED]'Subject: RE: [ActiveDir] Add junior admin to Local workstations admin grou p Are you going to be upgrading an existing Exchange organization? If so, what are you planning to do with all of the UDGs/USGs that the ADC wants to create? Hunter From: Joe [mailto:[EMAIL PROTECTED] Sent: Saturday, August 23, 2003 9:13 AMTo: [EMAIL PROTECTED]Subject: RE: [ActiveDir] Add junior admin to Local workstations admin group What do you mean by "I just can't imagine all of the explicit grants."? Is this an Exchange reference. If so, block out Exchange, they didn't know what they were doing when they wrote that application. Bad bad example of an AD application. We may actually have to cave and create a couple of mail enabled Uni groups for some stupid security stuff in Exchange. We asked why we can't use DLG's and they said you just can't (I love those technical explanations out of the Exchange Support and Dev groups). Then at one point a mistake was made and it was said that Globals would probably work which meant that DLG's would work as well and smashed their argument for Uni's at which point I attacked and then they recanted and it was no no no only Uni's will work. Problem is, I don't think there are many people if any that understand that P.O.S.. As for the chasing perms. If you use all DLG's you know that all NTNative Security uses of the group are within the one domain (you can do some tricks if you have your own security system). So if you have say the whole world and you get asked by a the security group where could this group have permissions at you can say, only on machines within this domain versus, well any machine in any of these 9 domains (meaning hundreds of thousands ofmachines). With W2K3 we will probably end up looking atUni's again because at least the replication piece is better but I really do not see the purpose in replicating member information for a group that is used in one site in say Arizona to the entire world. Also if you have tens of thousands of groups like we do and those groups see lots and lots of daily membership changes which they do (one site I talked to processed at least 1500 individual group changes a normal business day) that is a lot of replication of a lot of data that doesn't need to be used anywhere but in one site. Also when I mention the denys it is only on AD (excluding the Exchange container in the config partition) that I am speaking for because I am the one that controls that security. File systems and other ACL's on resources directly can be set with anything the local person in charge wants to do. If they call me asking me for help though the first thing I do is ixnay on the deny's if they are doing it for silly reasons. Most people tend to hurt themselves more than help themselves with deny's. An deny's in AD are not fun to work through. Also misordered ACL's with denies is fun too... No one would do that on purpose would they... oh wait... joe -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL