RE: Mac and Windows mix

2010-09-08 Thread De Williman, Shih 
Yes, and if you are the sole sysadmin that makes changes to WGM/policies & are 
diligent about tracking your changes, super. In an enterprise environment 
there's no central reporting feature with WGM . One can utilize mcxquery to 
find out what policies are applied to the client but that wd have to be done 
locally/polled into a syslog. Very inefficient, IMHO. 

For something as simple as dropping a file on a desktop, or, as is currently 
being discussed on the OsX Server forum, changing file associations, extensive 
scripting is involved. Again goes to show that there's very little development 
efforts made by Apple in the enterprise arena to facilitate central mgmt of 
their machines/OS.  

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Wednesday, September 08, 2010 5:05 AM
To: NT System Admin Issues
Subject: RE: Mac and Windows mix

I think sdewilliam is saying that there is no modelling capability.

GPMC lets you pick a user, a computer and an AD site, and dynamically layers 
all the policies at all levels that will affect the user, and gives you the 
resulting effective settings (after group filtering, WMI filtering etc). The 
advanced GPM also lets you do check-in/check-out, versioning control, workflow 
etc.

Cheers
Ken

-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org] 
Sent: Wednesday, 8 September 2010 2:21 PM
To: NT System Admin Issues
Subject: Re: Mac and Windows mix

Perhaps I'm misunderstanding: Isn't that exactly what Workgroup Manager does in 
Open Directory? There are plenty of settings which can be applied to individual 
Macs, users, user groups and computer groups.

- Original Message -
From: sdewilliman
[mailto:sdewilli...@g2.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Tue, 07 Sep 2010
17:41:34 -0700
Subject: Re: Mac and Windows mix


> Precisely, with OD /WGM there¹s no central mgmt console whereby an 
> admin can tell which/what policy is applied to what group. 
> Administration easily becoems a nightmare without 3rd party mgmt 
> software such as Centrify.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Mac and Windows mix

2010-09-08 Thread De Williman, Shih 
I believe WGM _can_ manage unbound machines, provided that you first import 
them into WGM (Matt can correct if this is misinfo since we modified AD schema 
& leverage AD/WGM to manage users). Even then, that in itself, whether you do 
it in an strictly OD environment or Magic Triangle, is a pain without third 
party utility like Passenger. 



-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Wednesday, September 08, 2010 6:16 AM
To: NT System Admin Issues
Subject: RE: Mac and Windows mix

Question: how does one bring a Mac under scope of management of WGM?

For AD - the machine has to be joined to the domain. For Macs?

Cheers
Ken

-Original Message-
From: Ken Schaefer [mailto:k...@adopenstatic.com] 
Sent: Wednesday, 8 September 2010 5:05 PM
To: NT System Admin Issues
Subject: RE: Mac and Windows mix

I think sdewilliam is saying that there is no modelling capability.

GPMC lets you pick a user, a computer and an AD site, and dynamically layers 
all the policies at all levels that will affect the user, and gives you the 
resulting effective settings (after group filtering, WMI filtering etc). The 
advanced GPM also lets you do check-in/check-out, versioning control, workflow 
etc.

Cheers
Ken

-Original Message-
From: Matthew W. Ross [mailto:mr...@ephrataschools.org]
Sent: Wednesday, 8 September 2010 2:21 PM
To: NT System Admin Issues
Subject: Re: Mac and Windows mix

Perhaps I'm misunderstanding: Isn't that exactly what Workgroup Manager does in 
Open Directory? There are plenty of settings which can be applied to individual 
Macs, users, user groups and computer groups.

- Original Message -
From: sdewilliman
[mailto:sdewilli...@g2.com]
To: NT System Admin Issues
[mailto:ntsysad...@lyris.sunbelt-software.com]
Sent: Tue, 07 Sep 2010
17:41:34 -0700
Subject: Re: Mac and Windows mix


> Precisely, with OD /WGM there¹s no central mgmt console whereby an 
> admin can tell which/what policy is applied to what group.
> Administration easily becoems a nightmare without 3rd party mgmt 
> software such as Centrify.


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

---
To manage subscriptions click here: 
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to listmana...@lyris.sunbeltsoftware.com
with the body: unsubscribe ntsysadmin

RE: Cannot update schema to 2008 Mini Hijack

2010-08-18 Thread De Williman, Shih 
ExtremeZ-ip

 

From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Wednesday, August 18, 2010 5:47 PM
To: NT System Admin Issues
Subject: RE: Cannot update schema to 2008 Mini Hijack

 

Another Caveat to this discussion, is there a replacement in Windows
2008 R2 for File Services for Macintosh?  Looks like M$ has nixed the
support for it. Is anyone using anything else for storage for you MAC
users within Windows Domains? ( 3rd party or otherwise?)

 

Z

 

Edward E. Ziots

CISSP, Network +, Security +

Network Engineer

Lifespan Organization

Email:ezi...@lifespan.org

Cell:401-639-3505

 

From: David Lum [mailto:david@nwea.org] 
Sent: Wednesday, August 18, 2010 5:38 PM
To: NT System Admin Issues
Subject: RE: Cannot update schema to 2008

 

One question: Does Windows Services for UNIX have any effect on 1)
Mac-accessible shares on Windows Servers and 2) Mac's authenticating to
Active Directory. A cursory Google-fu makes me think no...

 

Dave

 

From: Brian Desmond [mailto:br...@briandesmond.com] 
Sent: Tuesday, August 17, 2010 2:19 PM
To: NT System Admin Issues
Subject: RE: Cannot update schema to 2008

 

I've heard from a couple places stories of whatever Unix integration
package they're using automatically starting to use new SFU/Unix related
attributes when they were imported instead of the legacy ones and
everything blowing up because the attributes were subsequently blank.
I'd do some investigation in to how your integration package works. 

 

Thanks,

Brian Desmond

br...@briandesmond.com

 

c   - 312.731.3132

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 17, 2010 2:22 PM
To: NT System Admin Issues
Subject: RE: Cannot update schema to 2008

 

Kind of what I was afraid of - problem is we have no clue if/what it'll
break. We have a fair number if 'nix machines talking to AD.

 

Thanks,

Dave

 

From: Michael B. Smith [mailto:mich...@smithcons.com] 
Sent: Tuesday, August 17, 2010 11:01 AM
To: NT System Admin Issues
Subject: RE: Cannot update schema to 2008

 

The answer from Paul_f_ at the very end looks appropriate to me.

 

Regards,

 

Michael B. Smith

Consultant and Exchange MVP

http://TheEssentialExchange.com

 

From: David Lum [mailto:david@nwea.org] 
Sent: Tuesday, August 17, 2010 1:45 PM
To: NT System Admin Issues
Subject: Cannot update schema to 2008

 

We are having this exact issue:

http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/7f9d
ae5b-5eb1-4f7a-b02a-20777db3f6ae

 

This guy had to call Microsoft to get it resolved - has anyone here
seen/had this issue upgrading to 2008 DC's?

David Lum // SYSTEMS ENGINEER 
NORTHWEST EVALUATION ASSOCIATION
(Desk) 971.222.1025 // (Cell) 503.267.9764

 

 

 

 

 

 

 

 

 

 

 

 

 

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

RE: File server structure and perms

2010-08-10 Thread De Williman, Shih 
Does ABE work on shares or just the folders under the share? 

-Original Message-
From: Ziots, Edward [mailto:ezi...@lifespan.org] 
Sent: Tuesday, August 10, 2010 7:34 AM
To: NT System Admin Issues
Subject: RE: File server structure and perms

Have you had experience is Access Based Enumeration? You can setup one
master share, and unless you have NTFS permissions of read to the
directory underneath, the user doesn't even see the directory, which
means they wouldn't be able to read/write from it, and should solve the
problem. 

I do agree that it's a little more labor intensive, but you could setup
the structure, use Icacls.exe to backup the ACL's once in place ( or
script it out) and if anything goes wrong, reply the ICACLS script to
set the permissions accordingly. 

I have done this on Windows 2003 R2, and looking to make it the defacto
standard on Windows 2008 R2 ( As soon as I plow through Miansi's most
excellent 2008 R2 book, if you don't have a copy, I would suggest you
get it)

Z

Edward E. Ziots
CISSP, Network +, Security +
Network Engineer
Lifespan Organization
Email:ezi...@lifespan.org
Cell:401-639-3505


-Original Message-
From: Charlie Kaiser [mailto:charl...@golden-eagle.org] 
Sent: Monday, August 09, 2010 10:47 PM
To: NT System Admin Issues
Subject: File server structure and perms

I've been tasked with setting up a file server structure for a client.
SBS
2008. We normally set up Home, Shared, and Public. Client wants a
completely
different paradigm. They want a master folder for each of their clients,
with subfolders below that which have varying permissions. So for
example:

Client master folder
->test results
->notes
->estimates
->contracts

Each of the subfolders would have different perms; techs writing data to
test results would not have access to estimates, for example.

They also wish to have a template setup so that each time they add a
client,
they can put this structure in place and have the appropriate
permissions in
effect.

I don't see a simple way to do this. It looks to be highly IT-intensive,
which is not what we nor the client would like.

It almost sounds more like a sharepoint thing, although I have little
first-hand knowledge of sharepoint deployments.

Any suggestions?

Thanks!

***
Charlie Kaiser
charl...@golden-eagle.org
Kingman, AZ
***  




~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~

~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~


~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~   ~