| Author | Messages | |
sbradcpa
Posts:496
 | | 09/23/2005 12:38 PM |
| When you change group scopes by using a combination of the Dsquery
command the Dsmod command, all the group types are changed to either
distribution groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/23/2005 5:52 AM |
| That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.
I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.
As an aside, I dislike the use of the word distribution groups and security
groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 8:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] When you change group scopes by using a combination of
the Dsquery command
When you change group scopes by using a combination of the Dsquery command
the Dsmod command, all the group types are changed to either distribution
groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| deji
Posts:262
| | 09/23/2005 6:19 AM |
| >>>As an aside, I dislike the use of the word distribution groups and
security groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.
Which is why you need to distinguish between them. "Non-NT Security Enabled
Group" does not sound as logical as "Distribution Group", especially since
the primary use of such groups is distributing emails. In the same vein, "NT
Security Enabled Group" is less sexy than simply saying "Security Group",
again since the primary use of such group is in the
security/permissioning/delegation space, although it could serve the
"distributing" purposes too, as you mentioned.
I take "both could be used for either" to actually mean "both could be used
for DISTRIBUTION" since they are both technically not equally
interchangeable, as you clarified in your email.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of joe
Sent: Thu 9/22/2005 10:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command
That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.
I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.
As an aside, I dislike the use of the word distribution groups and security
groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 8:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] When you change group scopes by using a combination of
the Dsquery command
When you change group scopes by using a combination of the Dsquery command
the Dsmod command, all the group types are changed to either distribution
groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
| listmail
Posts:824
| | 09/23/2005 6:59 AM |
| Slight mod to this sentence
especially since the CURRENT primary use of such groups THAT WE ARE FAMILIAR
WITH is distributing emails.
I am seeing more and more use of these non-NT Security enabled groups in
functions other than email delivery.
And for this
> I take "both could be used for either" to actually mean "both could be
> used for DISTRIBUTION" since they are both technically not equally
> interchangeable, as you clarified in your email.
Both can be used for distribution, both can be used for security, however
both can not be used for "NT Security" when there is a dependency of the SID
being placed in the token of the user to initiate the secured response.
I was watching UNIX based apps and even one Windows based app using AD
non-NT Security enabled groups for security several years ago. It makes a
ton of sense since you don't have the concern of token bloat due to SIDs.
For an application based security environment I think it makes far more
sense than, for instance, checking for a control access right on an object
based on the SID in the token. Look around at how much trouble people have
dealing with SIDs in comparison to a DN.
All of the SID stuff is very Windows-centric for a directory that is pushing
to be the centerpiece of a multiple platform SSO enabler. If I am sitting on
a UNIX box and I need to determine who has access to some aspect of the
system am I going to use a SID? How hard is it to chase that back to a
unique principal, think of what the procedure needs to be to chase that down
for an OS that can natively resolve it. Also consider the length of time it
can take to resolve SIDs on an OS that can natively resolve it, ever sit
there waiting for SIDs to turn into names? Consider SID resolution has to go
through objectsid for an entire forest, then sidHistory, and then chase into
every trusted realm that isn't part of the forest. It is pretty complicated.
Now bring into the picture ADAM SIDs as well which don't resolve so well
with the native interfaces...
Of course the thing that makes this a bit painful is the whole resolving
full group membership for a given user across a forest or multiple forests.
It is less painful though now that the QP knows how to use the implicit
indexes of the linked attributes but still not as easy as it might me.
I totally disagree that anything from .NET is the global answer to this.
Forcing that to be the answer really closes down the answer to the Windows
world which already has an answer, SIDs and NT Security.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of deji@xxxxxxxxxxxxxx
Sent: Friday, September 23, 2005 2:18 AM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command
>>>As an aside, I dislike the use of the word distribution groups and
security groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.
Which is why you need to distinguish between them. "Non-NT Security Enabled
Group" does not sound as logical as "Distribution Group", especially since
the primary use of such groups is distributing emails. In the same vein, "NT
Security Enabled Group" is less sexy than simply saying "Security Group",
again since the primary use of such group is in the
security/permissioning/delegation space, although it could serve the
"distributing" purposes too, as you mentioned.
I take "both could be used for either" to actually mean "both could be used
for DISTRIBUTION" since they are both technically not equally
interchangeable, as you clarified in your email.
Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCP+I
Microsoft MVP - Directory Services
www.readymaids.com - we know IT
www.akomolafe.com
Do you now realize that Today is the Tomorrow you were worried about
Yesterday? -anon
________________________________
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of joe
Sent: Thu 9/22/2005 10:22 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] When you change group scopes by using a combination
of the Dsquery command
That is why ADMOD doesn't currently support a group scope type of switch
along with other bitwise type ops (such as disable, etc). There are
difficulties as you will see below.
I expect the fix for this is probably pretty inefficient and could be quite
slow if updating a lot of objects, my guess is that it does a lookup on
every object prior to updating it to get the current value, no other way to
really do it, this means two calls for every update. A more efficient way
would be to create a query that picks out the NT security enabled groups and
changes their scope and then do it again for non NT security enabled groups.
Of course you would have to use the older un-fixed version of dsmod or use
admod.
As an aside, I dislike the use of the word distribution groups and security
groups because both could be used for either. Any group can be a
distribution group, the groups are simply NT security enabled or not NT
security enabled.
joe
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Susan Bradley, CPA
aka Ebitz - SBS Rocks [MVP]
Sent: Thursday, September 22, 2005 8:36 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: [ActiveDir] When you change group scopes by using a combination of
the Dsquery command
When you change group scopes by using a combination of the Dsquery command
the Dsmod command, all the group types are changed to either distribution
groups or security groups on a Windows Server 2003-based
computer:
http://support.microsoft.com/?kbid=898063
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ | | | |
|
|