| Author | Messages | |
hallerec
Posts:6
 | | 09/25/2008 9:37 PM |
| Recently, I have seen some discussion about the empty forest
recomendation and how that has changed since the WIndows 2000 days.
We are currently experiencing some paged pool memory shortages in our
Exchange environment. The usage was determined that the access token size
is consuming most of the memory. We really like groups - to the extent that
it is causing our memory issues,
Our group strategy is to put users in domain global groups. The DG
groups are put into universal groups. The UGs are assigned permissions.
Sometimes domain local groups are used also. This strategy has been in
place since we designed out Windows 2000 Active Directory environment.
I am wondering if this is still the best method of using groups in a
Windows 20003 domain. Any current links to group management best practices
would be appreciated. I am not looking at management tools - we have too
many of those already. I am looking at how best to assign users to groups.
We have an empty root with four child account domains.
Ernie Haller
| | | |
| Tony
Posts:50
| | 09/25/2008 10:26 PM |
| Hi Ernie
Have you read this whitepaper - it's an oldie but a goodie:
Addressing
<http://www.microsoft.com/downloads/details.aspx?FamilyID=22dd9251-0781-42e6
-9346-89d577a3e74a&DisplayLang=en> Problems Due to Access Token Limitation
The whitepaper talks at some length about the causes of token bloat and
(apart from really obvious things such as SIDHistory) that these boil down
to how groups are used/abused in a given environment. In particular,
problems can arise from:
Large fan-out group structure
Deep nesting group structure
The following article indicates that domain local groups take up more space
inside the token (40 bytes) as opposed to in-domain global groups and
universal groups (8 bytes).
New resolution <http://support.microsoft.com/kb/327825> for problems with
Kerberos authentication when users belong to many groups
There's also this one from the MS Exchange team blog, which I suspect is
more directly relevant to your situation.
Large Security <http://msexchangeteam.com/archive/2005/12/28/416551.aspx>
Tokens and Kernel Memory Exhaustion
The article suggest three things that might help reduce the token size:
1. Reduce the number of security groups to which each user belongs.
(duh)
2. Host Exchange servers in a different domain than the users who
connect to them.
3. Where possible, convert security groups to distribution groups.
Tony
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ernie Haller
Sent: Friday, 26 September 2008 1:33 p.m.
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Group Best Practices
Recently, I have seen some discussion about the empty forest
recomendation and how that has changed since the WIndows 2000 days.
We are currently experiencing some paged pool memory shortages in our
Exchange environment. The usage was determined that the access token size
is consuming most of the memory. We really like groups - to the extent that
it is causing our memory issues,
Our group strategy is to put users in domain global groups. The DG
groups are put into universal groups. The UGs are assigned permissions.
Sometimes domain local groups are used also. This strategy has been in
place since we designed out Windows 2000 Active Directory environment.
I am wondering if this is still the best method of using groups in a
Windows 20003 domain. Any current links to group management best practices
would be appreciated. I am not looking at management tools - we have too
many of those already. I am looking at how best to assign users to groups.
We have an empty root with four child account domains.
Ernie Haller
| | | |
| h2bear@msn.com
Posts:51
| | 09/26/2008 1:58 AM |
| Here is a slightly more detailed calculation for token size.
1200 + 40*((# domain local groups)+(non-local universal groups)+(#SIDHistory entries)) + 8((global groups)+(local universal groups))
As you can see non-local universal groups can also increase the group size by the same amount as you domain local group. So if your universal groups come from your root domain or if you have the majority of your universal groups in a separate child domain from were a large percentage of your user base is the token size can be even larger.
Since you mentioned exchange here is another article that directly relates to Exchange and paged pool memory.
http://support.microsoft.com/kb/912376
Here is another useful tool for looking at groups tokensz
http://technet.microsoft.com/en-us/library/cc757478.aspx
Hugh
Date: Thu, 25 Sep 2008 21:33:12 -0400From: ernie.haller@gmail.comTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] AD Group Best Practices
Recently, I have seen some discussion about the empty forest recomendation and how that has changed since the WIndows 2000 days.
We are currently experiencing some paged pool memory shortages in our Exchange environment. The usage was determined that the access token size is consuming most of the memory. We really like groups - to the extent that it is causing our memory issues,
Our group strategy is to put users in domain global groups. The DG groups are put into universal groups. The UGs are assigned permissions. Sometimes domain local groups are used also. This strategy has been in place since we designed out Windows 2000 Active Directory environment.
I am wondering if this is still the best method of using groups in a Windows 20003 domain. Any current links to group management best practices would be appreciated. I am not looking at management tools - we have too many of those already. I am looking at how best to assign users to groups.
We have an empty root with four child account domains.
Ernie Haller
| | | |
| listmail
Posts:445
| | 09/26/2008 10:32 AM |
| IMO, the UGLyΏ] or whatever else it is called group strategy never was a
good viable solution in larger orgs even back in NT4 days. It is an attempt
at a half-breed between roles based and resource based and in the end you
either have a bazillion groups that really do nothing or you give out too
many permissions to people who don't need them or both.
My overall favorite strategy even though it is missing an element of
reporting is users go directly into machine local groups where the resources
are located at. Domain level groups are used for domain level resources such
as DFS, or AD perms, or distributed SQL apps or other distributed type
things. I want my groups as close to the resources as I can get them. Using
machine local groups for your resources on the machines gets away from the
token bloat issues and it also slows down the issues of... where the hell
does this group have permissions at? You know it is only on that one machine
so the scope is substantially reduced.
That being said, there is a horrible native issue with reporting back who
has access to what when you use machine level groups. Management is a trifle
more involved as well, as by default you have to connect to the machine in
question to make the modifications. Some people also don't know how to
delegate group management on member machines and think that you have to give
admin rights out to manage member machine groups. I have seen companies
though that have built these things right into their provisioning or group
management tools. I actually have had on a list of about 60 apps that I want
to build a solution for managing these member machine groups through AD. I
spent a couple years about 6-7 years ago working out little aspects of what
I think it should do, just need to spend the time and build it. Just because
the native OS tie-in of member groups to the domain is poor doesn't mean
someone else can't tie it together with an app.
Due to the issues with member local groups, people often fall back to is a
system of resource based domain local groups which is my second favorite
type of deployment where the users go directly into domain local groups and
the domain local groups either go into machine local groups or go straight
onto the ACLs of the objects. I prefer the domain local groups go into
machine local groups though because it makes it easier for migration into
other domains/forests etc.
I rarely if ever recommend any kind of role based system with native groups
because people rarely define or manage the roles properly nor the
permissions that go behind the roles, it is a well this circle kind of fits
in this round hole so lets go with it... Then people get tossed into roles
because they are close to what they need though some percentage of the stuff
the group gives access to isn't needed by the person in question. Its an
80/20 permissioning system and I think security on resources should be
closer to 100% even if it is hard to maintain. If the security on the
resources wasn't important, it would just be set to authenticated users in
the first place.
joe
Ώ] Users into Globals, Globals into Locals, Locals get the permission
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ernie Haller
Sent: Thursday, September 25, 2008 9:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Group Best Practices
Recently, I have seen some discussion about the empty forest
recomendation and how that has changed since the WIndows 2000 days.
We are currently experiencing some paged pool memory shortages in our
Exchange environment. The usage was determined that the access token size
is consuming most of the memory. We really like groups - to the extent that
it is causing our memory issues,
Our group strategy is to put users in domain global groups. The DG
groups are put into universal groups. The UGs are assigned permissions.
Sometimes domain local groups are used also. This strategy has been in
place since we designed out Windows 2000 Active Directory environment.
I am wondering if this is still the best method of using groups in a
Windows 20003 domain. Any current links to group management best practices
would be appreciated. I am not looking at management tools - we have too
many of those already. I am looking at how best to assign users to groups.
We have an empty root with four child account domains.
Ernie Haller
| | | |
| Marty1_0
Posts:72
| | 09/29/2008 4:35 AM |
| I thought the ugly thing (users into globals, globals into locals, locals
get the permission) was best practice by MS?
-Bart
On Fri, Sep 26, 2008 at 4:29 PM, joe <listmail@joeware.net> wrote:
> IMO, the UGLyΏ] or whatever else it is called group strategy never was a
> good viable solution in larger orgs even back in NT4 days. It is an attempt
> at a half-breed between roles based and resource based and in the end you
> either have a bazillion groups that really do nothing or you give out too
> many permissions to people who don't need them or both.
>
> My overall favorite strategy even though it is missing an element of
> reporting is users go directly into machine local groups where the resources
> are located at. Domain level groups are used for domain level resources such
> as DFS, or AD perms, or distributed SQL apps or other distributed type
> things. I want my groups as close to the resources as I can get them. Using
> machine local groups for your resources on the machines gets away from the
> token bloat issues and it also slows down the issues of... where the hell
> does this group have permissions at? You know it is only on that one machine
> so the scope is substantially reduced.
>
> That being said, there is a horrible native issue with reporting back who
> has access to what when you use machine level groups. Management is a trifle
> more involved as well, as by default you have to connect to the machine in
> question to make the modifications. Some people also don't know how to
> delegate group management on member machines and think that you have to give
> admin rights out to manage member machine groups. I have seen companies
> though that have built these things right into their provisioning or group
> management tools. I actually have had on a list of about 60 apps that I want
> to build a solution for managing these member machine groups through AD. I
> spent a couple years about 6-7 years ago working out little aspects of what
> I think it should do, just need to spend the time and build it. Just because
> the native OS tie-in of member groups to the domain is poor doesn't mean
> someone else can't tie it together with an app.
>
> Due to the issues with member local groups, people often fall back to is a
> system of resource based domain local groups which is my second favorite
> type of deployment where the users go directly into domain local groups and
> the domain local groups either go into machine local groups or go straight
> onto the ACLs of the objects. I prefer the domain local groups go into
> machine local groups though because it makes it easier for migration into
> other domains/forests etc.
>
> I rarely if ever recommend any kind of role based system with native groups
> because people rarely define or manage the roles properly nor the
> permissions that go behind the roles, it is a well this circle kind of fits
> in this round hole so lets go with it... Then people get tossed into roles
> because they are close to what they need though some percentage of the stuff
> the group gives access to isn't needed by the person in question. Its an
> 80/20 permissioning system and I think security on resources should be
> closer to 100% even if it is hard to maintain. If the security on the
> resources wasn't important, it would just be set to authenticated users in
> the first place.
>
> joe
>
>
> Ώ] Users into Globals, Globals into Locals, Locals get the permission
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Ernie Haller
> *Sent:* Thursday, September 25, 2008 9:33 PM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* [ActiveDir] AD Group Best Practices
>
>
> Recently, I have seen some discussion about the empty forest
> recomendation and how that has changed since the WIndows 2000 days.
>
> We are currently experiencing some paged pool memory shortages in our
> Exchange environment. The usage was determined that the access token size
> is consuming most of the memory. We really like groups - to the extent that
> it is causing our memory issues,
>
> Our group strategy is to put users in domain global groups. The DG
> groups are put into universal groups. The UGs are assigned permissions.
> Sometimes domain local groups are used also. This strategy has been in
> place since we designed out Windows 2000 Active Directory environment.
>
> I am wondering if this is still the best method of using groups in a
> Windows 20003 domain. Any current links to group management best practices
> would be appreciated. I am not looking at management tools - we have too
> many of those already. I am looking at how best to assign users to groups.
>
> We have an empty root with four child account domains.
>
> Ernie Haller
>
>
>
>
>
| | | |
| listmail
Posts:445
| | 09/29/2008 10:25 AM |
| For Mom and Pop yes it is a recommended best practice, or was. Those are the
bread and butter of the MSFT deployments and what MSFT primarily targers...
But it isn't across the board for everyone. And recall best practices aren't
"this is best for everyone", they are this what we sort of recommend given
our experience for these specific cases. I have similar issues with the 2003
AD Deployment guide for disk layout. Works well to a certain size but then
just doesn't make sense. In fact I once polled 10 MSFT employees in
different areas on if they would deploy the disk guidance in the 2003 AD
Deployment guide. Out of all of them, most of which all did Enterprise class
work, they all scoffed at the idea. One guy gave the best answer of it
depends on the deployment I am looking at and my perf counter tests. Only
one MCS guy (and he was brand new in the job only 3 months and still no real
enterprise experience) said that he would deploy AD verbatim to the
Deployment guide.
Its why I specifically called out "larger orgs". There is very little
guidance from MSFT for larger orgs, the idea is that you call in consultants
who are supposed to know what they are doing and they can work out the best
deployment options for you with your specific environment, concerns, and
issues in mind. Most all of my experience with MSFT the last 12 years has
all been Enterprise, 35000 being about the smallest company I have worked
with for any real amount of time. Back on NT4 I was working in an
environment with almost 250,000 users and can tell you quite strongly UGLy
did not work well.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Bart Van den
Wyngaert
Sent: Monday, September 29, 2008 4:33 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] AD Group Best Practices
I thought the ugly thing (users into globals, globals into locals, locals
get the permission) was best practice by MS?
-Bart
On Fri, Sep 26, 2008 at 4:29 PM, joe <listmail@joeware.net> wrote:
IMO, the UGLyΏ] or whatever else it is called group strategy never was a
good viable solution in larger orgs even back in NT4 days. It is an attempt
at a half-breed between roles based and resource based and in the end you
either have a bazillion groups that really do nothing or you give out too
many permissions to people who don't need them or both.
My overall favorite strategy even though it is missing an element of
reporting is users go directly into machine local groups where the resources
are located at. Domain level groups are used for domain level resources such
as DFS, or AD perms, or distributed SQL apps or other distributed type
things. I want my groups as close to the resources as I can get them. Using
machine local groups for your resources on the machines gets away from the
token bloat issues and it also slows down the issues of... where the hell
does this group have permissions at? You know it is only on that one machine
so the scope is substantially reduced.
That being said, there is a horrible native issue with reporting back who
has access to what when you use machine level groups. Management is a trifle
more involved as well, as by default you have to connect to the machine in
question to make the modifications. Some people also don't know how to
delegate group management on member machines and think that you have to give
admin rights out to manage member machine groups. I have seen companies
though that have built these things right into their provisioning or group
management tools. I actually have had on a list of about 60 apps that I want
to build a solution for managing these member machine groups through AD. I
spent a couple years about 6-7 years ago working out little aspects of what
I think it should do, just need to spend the time and build it. Just because
the native OS tie-in of member groups to the domain is poor doesn't mean
someone else can't tie it together with an app.
Due to the issues with member local groups, people often fall back to is a
system of resource based domain local groups which is my second favorite
type of deployment where the users go directly into domain local groups and
the domain local groups either go into machine local groups or go straight
onto the ACLs of the objects. I prefer the domain local groups go into
machine local groups though because it makes it easier for migration into
other domains/forests etc.
I rarely if ever recommend any kind of role based system with native groups
because people rarely define or manage the roles properly nor the
permissions that go behind the roles, it is a well this circle kind of fits
in this round hole so lets go with it... Then people get tossed into roles
because they are close to what they need though some percentage of the stuff
the group gives access to isn't needed by the person in question. Its an
80/20 permissioning system and I think security on resources should be
closer to 100% even if it is hard to maintain. If the security on the
resources wasn't important, it would just be set to authenticated users in
the first place.
joe
Ώ] Users into Globals, Globals into Locals, Locals get the permission
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Ernie Haller
Sent: Thursday, September 25, 2008 9:33 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] AD Group Best Practices
Recently, I have seen some discussion about the empty forest
recomendation and how that has changed since the WIndows 2000 days.
We are currently experiencing some paged pool memory shortages in our
Exchange environment. The usage was determined that the access token size
is consuming most of the memory. We really like groups - to the extent that
it is causing our memory issues,
Our group strategy is to put users in domain global groups. The DG
groups are put into universal groups. The UGs are assigned permissions.
Sometimes domain local groups are used also. This strategy has been in
place since we designed out Windows 2000 Active Directory environment.
I am wondering if this is still the best method of using groups in a
Windows 20003 domain. Any current links to group management best practices
would be appreciated. I am not looking at management tools - we have too
many of those already. I am looking at how best to assign users to groups.
We have an empty root with four child account domains.
Ernie Haller
| | | |
| Marty1_0
Posts:72
| | 09/29/2008 11:43 AM |
| Agree on the fact a best practice is a recommendation... That's the
definition :-)
But the problem is that it's used as a reference in many cases.
I would like to know, in this particular case, when you could argue to not
use the best practice recommendation and which arguments can be used?
This really interests me as I sometimes work with people doing this stuff,
using MS recommendations all the way etc. believing that "best practice" is
the "rule" i.o. using it as a recommendation...
Thanks for your clear answer (as always)!
-Bart
On Mon, Sep 29, 2008 at 4:20 PM, joe <listmail@joeware.net> wrote:
> For Mom and Pop yes it is a recommended best practice, or was. Those are
> the bread and butter of the MSFT deployments and what MSFT primarily
> targers... But it isn't across the board for everyone. And recall best
> practices aren't "this is best for everyone", they are this what we sort of
> recommend given our experience for these specific cases. I have similar
> issues with the 2003 AD Deployment guide for disk layout. Works well to a
> certain size but then just doesn't make sense. In fact I once polled 10 MSFT
> employees in different areas on if they would deploy the disk guidance in
> the 2003 AD Deployment guide. Out of all of them, most of which all did
> Enterprise class work, they all scoffed at the idea. One guy gave the best
> answer of it depends on the deployment I am looking at and my perf counter
> tests. Only one MCS guy (and he was brand new in the job only 3 months and
> still no real enterprise experience) said that he would deploy AD verbatim
> to the Deployment guide.
>
> Its why I specifically called out "larger orgs". There is very little
> guidance from MSFT for larger orgs, the idea is that you call in consultants
> who are supposed to know what they are doing and they can work out the best
> deployment options for you with your specific environment, concerns, and
> issues in mind. Most all of my experience with MSFT the last 12 years has
> all been Enterprise, 35000 being about the smallest company I have worked
> with for any real amount of time. Back on NT4 I was working in an
> environment with almost 250,000 users and can tell you quite strongly UGLy
> did not work well.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ------------------------------
> *From:* ActiveDir-owner@mail.activedir.org [mailto:
> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Bart Van den Wyngaert
> *Sent:* Monday, September 29, 2008 4:33 AM
> *To:* ActiveDir@mail.activedir.org
> *Subject:* Re: [ActiveDir] AD Group Best Practices
>
> I thought the ugly thing (users into globals, globals into locals,
> locals get the permission) was best practice by MS?
>
> -Bart
> On Fri, Sep 26, 2008 at 4:29 PM, joe <listmail@joeware.net> wrote:
>
>> IMO, the UGLyΏ] or whatever else it is called group strategy never was
>> a good viable solution in larger orgs even back in NT4 days. It is an
>> attempt at a half-breed between roles based and resource based and in the
>> end you either have a bazillion groups that really do nothing or you give
>> out too many permissions to people who don't need them or both.
>>
>> My overall favorite strategy even though it is missing an element of
>> reporting is users go directly into machine local groups where the resources
>> are located at. Domain level groups are used for domain level resources such
>> as DFS, or AD perms, or distributed SQL apps or other distributed type
>> things. I want my groups as close to the resources as I can get them. Using
>> machine local groups for your resources on the machines gets away from the
>> token bloat issues and it also slows down the issues of... where the hell
>> does this group have permissions at? You know it is only on that one machine
>> so the scope is substantially reduced.
>>
>> That being said, there is a horrible native issue with reporting back who
>> has access to what when you use machine level groups. Management is a trifle
>> more involved as well, as by default you have to connect to the machine in
>> question to make the modifications. Some people also don't know how to
>> delegate group management on member machines and think that you have to give
>> admin rights out to manage member machine groups. I have seen companies
>> though that have built these things right into their provisioning or group
>> management tools. I actually have had on a list of about 60 apps that I want
>> to build a solution for managing these member machine groups through AD. I
>> spent a couple years about 6-7 years ago working out little aspects of what
>> I think it should do, just need to spend the time and build it. Just because
>> the native OS tie-in of member groups to the domain is poor doesn't mean
>> someone else can't tie it together with an app.
>>
>> Due to the issues with member local groups, people often fall back to is a
>> system of resource based domain local groups which is my second favorite
>> type of deployment where the users go directly into domain local groups and
>> the domain local groups either go into machine local groups or go straight
>> onto the ACLs of the objects. I prefer the domain local groups go into
>> machine local groups though because it makes it easier for migration into
>> other domains/forests etc.
>>
>> I rarely if ever recommend any kind of role based system with native
>> groups because people rarely define or manage the roles properly nor the
>> permissions that go behind the roles, it is a well this circle kind of fits
>> in this round hole so lets go with it... Then people get tossed into roles
>> because they are close to what they need though some percentage of the stuff
>> the group gives access to isn't needed by the person in question. Its an
>> 80/20 permissioning system and I think security on resources should be
>> closer to 100% even if it is hard to maintain. If the security on the
>> resources wasn't important, it would just be set to authenticated users in
>> the first place.
>>
>> joe
>>
>>
>> Ώ] Users into Globals, Globals into Locals, Locals get the permission
>>
>>
>> --
>> O'Reilly Active Directory Third Edition -
>> http://www.joeware.net/win/ad3e.htm
>>
>>
>>
>> ------------------------------
>> *From:* ActiveDir-owner@mail.activedir.org [mailto:
>> ActiveDir-owner@mail.activedir.org] *On Behalf Of *Ernie Haller
>> *Sent:* Thursday, September 25, 2008 9:33 PM
>> *To:* ActiveDir@mail.activedir.org
>> *Subject:* [ActiveDir] AD Group Best Practices
>>
>>
>> Recently, I have seen some discussion about the empty forest
>> recomendation and how that has changed since the WIndows 2000 days.
>>
>> We are currently experiencing some paged pool memory shortages in our
>> Exchange environment. The usage was determined that the access token size
>> is consuming most of the memory. We really like groups - to the extent that
>> it is causing our memory issues,
>>
>> Our group strategy is to put users in domain global groups. The DG
>> groups are put into universal groups. The UGs are assigned permissions.
>> Sometimes domain local groups are used also. This strategy has been in
>> place since we designed out Windows 2000 Active Directory environment.
>>
>> I am wondering if this is still the best method of using groups in a
>> Windows 20003 domain. Any current links to group management best practices
>> would be appreciated. I am not looking at management tools - we have too
>> many of those already. I am looking at how best to assign users to groups.
>>
>> We have an empty root with four child account domains.
>>
>> Ernie Haller
>>
>>
>>
>>
>>
>
>
| | | |
| danholme
Posts:128
| | 09/29/2008 3:10 PM |
| I'll ph n h, wh h aly aa ha Jo and I ha slghly
(hough only slghly, I hnk) dgn psps on h ssu.
Th ompans I wok wh (unly angng 12k - 100k uss) and hos
ha I ouh a dalng a lo wh goup managmn gh now baus
of h nd o g ahold of managably of suy, onfguaon,
. Goups a a onson omponn of any managmn famwok
baus hy an b usd by so many apps & hnologs (, NTFS, Goup
Poly, SCCM...).
goups and h way hy' usd by som omponns (paulaly LS
and 's bloody okn; and IIS) a poblma. Th a "had
lms" (1024 goups n a Kbos PC; HTTP and IIS lms) and
'wokaound-abl' lms blow ha (200-300 goups, paally
spakng, bfo MaxToknSz has o b asd). Mo poblma (as
Jo has pond ou n al nos n hs had) s h human
lmn. Jo hghlghs hs ssu, ghly. If you don' ha a
famwok (popl, poss & hnology) o manag goups ha suppos
and nabls and *nfos* you dsgn, wll fal.
ll ha sad, s possbl o 'do gh', n n lag
npss (hough phaps no sup-lag foss, .. 100k+). I'
sn happn and h bnfs ha bn hug. On lag (many 10s of
housands uss) nsuan ompany saw managably and omplan of
suy skyok and h dsk bakup ms plumm whn hy
mplmnd ol-basd ass onol. Thy lo . Th lns I'
had ha mplmnd oly lo . Bu has o b don gh
and, gn h al lmaons of h hnology and h fallbly of
humans and poss, you mgh fnd 's no gh fo som npss.
oupl of nos basd on al poss o hs had. 1) I lk
Jo's "us loal goups" opon f you an mak managabl. I wll
no wok fo plad (by Wndows, .g. FS-R) sous, sn h
plad ops an' f o SIs on h oh sysm; bu wll
wok wh sandalon ss and som hd-pay soag
nfasuus. 2) Global goups us h las spa n h okn, and
an as h hshold a whh you mus nas h MaxToknSz. I
know on ompany (sngl doman fos, of ous) ha mgad o an
almos nly global goup mplmnaon fo hs ason. 3) On
hng abou Exhang (mnond al) ha you ally nd o wah
ou fo a ophand SIs n CEs. Th a known ssus abou hs.
Whn you g uss pmssons o shad malboxs, publ folds,
., and hn dl hos uss, h ophand CE an aus (BIG)
poblms. Rol basd managmn of Exhang sous an b hugly
hlpful o aod hs poblm.
I dfnly ommnd adng h om on Goup Managmn and Rol
Basd Managmn n h Wndows dmnsaon Rsou K ha was
lasd wh Wndows S 2008. I's dfnly no WS2008 spf.
I'll also do my bs o follow hs had, bu f I dsappa don'
hsa o pok m (dan h a nllm do op-ll-ommal-doman)
and I'll hop bak n.
an
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 5:39 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
g on h fa a bs pa s a ommndaon... Tha's h
dfnon :-)
Bu h poblm s ha 's usd as a fn n many ass.
I would lk o know, n hs paula as, whn you ould agu o
no us h bs pa ommndaon and whh agumns an b
usd?
Ths ally nss m as I somms wok wh popl dong hs
suff, usng MS ommndaons all h way . blng ha "bs
pa" s h "ul" .o. usng as a ommndaon...
Thanks fo you la answ (as always)!
-Ba
On Mon, Sp 29, 2008 a 4:20 PM, jo &l;lsmal@jowa.n&g; wo:
Fo Mom and Pop ys s a ommndd bs pa, o was. Thos a
h bad and bu of h MSFT dploymns and wha MSFT pmaly
ags... Bu sn' aoss h boad fo yon. nd all bs
pas an' "hs s bs fo yon", hy a hs wha w so
of ommnd gn ou xpn fo hs spf ass. I ha
smla ssus wh h 2003 ploymn gud fo dsk layou. Woks
wll o a an sz bu hn jus dosn' mak sns. In fa I on
polld 10 MSFT mploys n dffn aas on f hy would dploy h
dsk gudan n h 2003 ploymn gud. Ou of all of hm, mos
of whh all dd Enps lass wok, hy all soffd a h da.
On guy ga h bs answ of dpnds on h dploymn I am
lookng a and my pf oun ss. Only on MCS guy (and h was band
nw n h job only 3 monhs and sll no al nps xpn)
sad ha h would dploy bam o h ploymn gud.
Is why I spfally alld ou "lag ogs". Th s y ll
gudan fom MSFT fo lag ogs, h da s ha you all n
onsulans who a supposd o know wha hy a dong and hy an
wok ou h bs dploymn opons fo you wh you spf
nonmn, onns, and ssus n mnd. Mos all of my xpn
wh MSFT h las 12 yas has all bn Enps, 35000 bng abou
h smalls ompany I ha wokd wh fo any al amoun of m.
Bak on NT4 I was wokng n an nonmn wh almos 250,000 uss
and an ll you qu songly UGLy dd no wok wll.
jo
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 4:33 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
I hough h ugly hng (uss no globals, globals no loals,
loals g h pmsson) was bs pa by MS?
-Ba
On F, Sp 26, 2008 a 4:29 PM, jo &l;lsmal@jowa.n&g; wo:
IMO, h UGLyΏ] o wha ls s alld goup sagy n was
a good abl soluon n lag ogs n bak n NT4 days. I s an
amp a a half-bd bwn ols basd and sou basd and n
h nd you h ha a bazllon goups ha ally do nohng o you
g ou oo many pmssons o popl who don' nd hm o boh.
My oall fao sagy n hough s mssng an lmn of
pong s uss go dly no mahn loal goups wh h
sous a load a. oman ll goups a usd fo doman ll
sous suh as FS, o pms, o dsbud SQL apps o oh
dsbud yp hngs. I wan my goups as los o h sous as I
an g hm. Usng mahn loal goups fo you sous on h
mahns gs away fom h okn bloa ssus and also slows down
h ssus of... wh h hll dos hs goup ha pmssons a? You
know s only on ha on mahn so h sop s subsanally
dud.
Tha bng sad, h s a hobl na ssu wh pong bak
who has ass o wha whn you us mahn ll goups. Managmn s
a fl mo nold as wll, as by dfaul you ha o onn o h
mahn n quson o mak h modfaons. Som popl also don'
know how o dlga goup managmn on mmb mahns and hnk ha
you ha o g admn ghs ou o manag mmb mahn goups. I
ha sn ompans hough ha ha bul hs hngs gh no h
posonng o goup managmn ools. I aually ha had on a ls of
abou 60 apps ha I wan o buld a soluon fo managng hs mmb
mahn goups hough . I spn a oupl yas abou 6-7 yas ago
wokng ou ll asps of wha I hnk should do, jus nd o
spnd h m and buld . Jus baus h na OS -n of mmb
goups o h doman s poo dosn' man somon ls an'
ogh wh an app.
u o h ssus wh mmb loal goups, popl ofn fall bak o s
a sysm of sou basd doman loal goups whh s my sond
fao yp of dploymn wh h uss go dly no doman
loal goups and h doman loal goups h go no mahn loal
goups o go sagh ono h CLs of h objs. I pf h doman
loal goups go no mahn loal goups hough baus maks
as fo mgaon no oh domans/foss .
I aly f ommnd any knd of ol basd sysm wh na
goups baus popl aly dfn o manag h ols poply no h
pmssons ha go bhnd h ols, s a wll hs l knd of
fs n hs ound hol so ls go wh ... Thn popl g ossd
no ols baus hy a los o wha hy nd hough som
pnag of h suff h goup gs ass o sn' ndd by h
pson n quson. Is an 80/20 pmssonng sysm and I hnk
suy on sous should b los o 100% n f s had o
manan. If h suy on h sous wasn' mpoan, would
jus b s o auhnad uss n h fs pla.
jo
Ώ] Uss no Globals, Globals no Loals, Loals g h pmsson
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of En Hall
Sn: Thusday, Spmb 25, 2008 9:33 PM
To: @mal.ad.og
Subj: [] Goup Bs Pas
Rnly, I ha sn som dsusson abou h mpy fos
omndaon and how ha has hangd sn h WIndows 2000 days.
W a unly xpnng som pagd pool mmoy shoags n
ou Exhang nonmn. Th usag was dmnd ha h ass
okn sz s onsumng mos of h mmoy. W ally lk goups - o
h xn ha s ausng ou mmoy ssus,
Ou goup sagy s o pu uss n doman global goups. Th G
goups a pu no unsal goups. Th UGs a assgnd
pmssons. Somms doman loal goups a usd also. Ths
sagy has bn n pla sn w dsgnd ou Wndows 2000
oy nonmn.
I am wondng f hs s sll h bs mhod of usng goups n a
Wndows 20003 doman. ny un lnks o goup managmn bs
pas would b appad. I am no lookng a managmn ools -
w ha oo many of hos alady. I am lookng a how bs o assgn
uss o goups.
W ha an mpy oo wh fou hld aoun domans.
En Hall
| | | |
| listmail
Posts:445
| | 09/30/2008 12:07 AM |
| I ag ha a ol basd sysm an wok, podd s don gh. I
han' sn on ally don gh y. No o my dfnon of gh. I
ha sn don gh o oh's dfnon manng h sysm was as
o manag. Bu o m, as o manag sn' h man pon o suy,
s makng su popl only ha ass o wha hy spfally nd and
ol basd sysms aly sm o g h ganulay dfnd o do
poply. You g ols lk aounan dfnd and you wll ha 150
aounans all wh slghly dffn al wold ols. So som of hm
may nd ass o som of h suff h ol gans and som don'.
Rol basd suy s no h only on ha falls down n mplmnaon
hough. Ths asly happns gulaly n sou basd pmssonng as
wll. Th aa h s ha wh a sou basd pmssonng sysm,
you may ha a fghng han of dggng youslf bak ou f gs bad
and you ha o fgu ou wh all h ass a bng gand and o
whom. If you ha a goup alld aounans and s assgnd pmssons
wlly nlly aoss a muldoman nonmn wll b ough o ak
ha down (spally wh global o unsal goups) han should b o
ak down h pmssons assgnd o h doman mmb loal goup
SHR_PROJECT_FOLERNME.
s an mnond wha I ommnd on, whn you sa dalng wh
dsbud apps lk , FS, M, Rplad SQL, hn you ally
an' us h doman mmb loal goups baus as an ndad, h SI
has no manng anywh bu on ha sysm.
Whl I dslk ha doman loal goups bloa h SIs mo han Global
Goups, I lk h da ha h sop of h goup s onsand o ha
on doman sus any usd doman n o ou of h fos, ha jus
maks h akng down of who has ass o wha oo hallngng and
msaks oo oppouns.
I psonally hnk ha f all oms down o human manual managmn,
you sysm, gadlss of dsgn, wll mos lkly fal o m. Mos IT
dpamns a no ha adaman abou gng hngs gh and don' ha
h mony o mak su hy kp dong hngs gh. I ha sn som
slla dsgns fo pmssonng ha w omplly knokd down and
swd up by a fw admns who go n a huy and sad applyng
nddual us SIs o CLs. Thn monhs la af hy ha addd a fw
hundd popl lk ha, hy sa omplanng abou pfoman assng
h fl sha... wll duh...
So o go bak o h al quson, whn do h bs pas sa o
bak down? Th answ s h ubquous " dpnds". On a on of hngs
bu no h las of whh s h go n whh h IT goup s un o
b, how good h auomad goup managmn ool s handld. Fo h
mos pa IT folks shouldn' n b managng goup mmbshp, hy don'
know who should and shouldn' b n goups. Tha managmn should b don
by h sou own who knows fo su who should b assng a sou
and ha s bs don by dlgang off ha mmbshp managmn o h
own. IT should jus b makng su sandads a followd and
ang/dlng goups basd on sou posonng/dposonng.
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
_____
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of an Holm
Sn: Monday, Spmb 29, 2008 3:06 PM
To: @mal.ad.og
Subj: RE: [] Goup Bs Pas
I'll ph n h, wh h aly aa ha Jo and I ha slghly
(hough only slghly, I hnk) dgn psps on h ssu.
Th ompans I wok wh (unly angng 12k - 100k uss) and hos
ha I ouh a dalng a lo wh goup managmn gh now baus of
h nd o g ahold of managably of suy, onfguaon, .
Goups a a onson omponn of any managmn famwok baus hy
an b usd by so many apps & hnologs (, NTFS, Goup Poly, SCCM.).
goups and h way hy' usd by som omponns (paulaly LS and
's bloody okn; and IIS) a poblma. Th a "had lms" (1024
goups n a Kbos PC; HTTP and IIS lms) and 'wokaound-abl' lms
blow ha (200-300 goups, paally spakng, bfo MaxToknSz has o
b asd). Mo poblma (as Jo has pond ou n al nos n
hs had) s h human lmn. Jo hghlghs hs ssu, ghly. If
you don' ha a famwok (popl, poss & hnology) o manag goups
ha suppos and nabls and *nfos* you dsgn, wll fal.
ll ha sad, s possbl o 'do gh', n n lag npss
(hough phaps no sup-lag foss, .. 100k+). I' sn happn
and h bnfs ha bn hug. On lag (many 10s of housands uss)
nsuan ompany saw managably and omplan of suy skyok and
h dsk bakup ms plumm whn hy mplmnd ol-basd ass
onol. Thy lo . Th lns I' had ha mplmnd oly
lo . Bu has o b don gh and, gn h al lmaons of h
hnology and h fallbly of humans and poss, you mgh fnd 's
no gh fo som npss.
oupl of nos basd on al poss o hs had. 1) I lk Jo's
"us loal goups" opon f you an mak managabl. I wll no wok
fo plad (by Wndows, .g. FS-R) sous, sn h plad
ops an' f o SIs on h oh sysm; bu wll wok wh
sandalon ss and som hd-pay soag nfasuus. 2) Global
goups us h las spa n h okn, and an as h hshold a
whh you mus nas h MaxToknSz. I know on ompany (sngl doman
fos, of ous) ha mgad o an almos nly global goup
mplmnaon fo hs ason. 3) On hng abou Exhang (mnond
al) ha you ally nd o wah ou fo a ophand SIs n CEs.
Th a known ssus abou hs. Whn you g uss pmssons o
shad malboxs, publ folds, ., and hn dl hos uss, h
ophand CE an aus (BIG) poblms. Rol basd managmn of Exhang
sous an b hugly hlpful o aod hs poblm.
I dfnly ommnd adng h om on Goup Managmn and Rol Basd
Managmn n h Wndows dmnsaon Rsou K ha was lasd wh
Wndows S 2008. I's dfnly no WS2008 spf.
I'll also do my bs o follow hs had, bu f I dsappa don'
hsa o pok m (dan h a nllm do op-ll-ommal-doman) and
I'll hop bak n.
an
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 5:39 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
g on h fa a bs pa s a ommndaon... Tha's h
dfnon :-)
Bu h poblm s ha 's usd as a fn n many ass.
I would lk o know, n hs paula as, whn you ould agu o no
us h bs pa ommndaon and whh agumns an b usd?
Ths ally nss m as I somms wok wh popl dong hs suff,
usng MS ommndaons all h way . blng ha "bs pa" s
h "ul" .o. usng as a ommndaon...
Thanks fo you la answ (as always)!
-Ba
On Mon, Sp 29, 2008 a 4:20 PM, jo &l;lsmal@jowa.n&g; wo:
Fo Mom and Pop ys s a ommndd bs pa, o was. Thos a h
bad and bu of h MSFT dploymns and wha MSFT pmaly ags...
Bu sn' aoss h boad fo yon. nd all bs pas an'
"hs s bs fo yon", hy a hs wha w so of ommnd gn
ou xpn fo hs spf ass. I ha smla ssus wh h 2003
ploymn gud fo dsk layou. Woks wll o a an sz bu hn
jus dosn' mak sns. In fa I on polld 10 MSFT mploys n
dffn aas on f hy would dploy h dsk gudan n h 2003
ploymn gud. Ou of all of hm, mos of whh all dd Enps lass
wok, hy all soffd a h da. On guy ga h bs answ of
dpnds on h dploymn I am lookng a and my pf oun ss. Only
on MCS guy (and h was band nw n h job only 3 monhs and sll no al
nps xpn) sad ha h would dploy bam o h
ploymn gud.
Is why I spfally alld ou "lag ogs". Th s y ll
gudan fom MSFT fo lag ogs, h da s ha you all n onsulans
who a supposd o know wha hy a dong and hy an wok ou h bs
dploymn opons fo you wh you spf nonmn, onns, and
ssus n mnd. Mos all of my xpn wh MSFT h las 12 yas has
all bn Enps, 35000 bng abou h smalls ompany I ha wokd
wh fo any al amoun of m. Bak on NT4 I was wokng n an
nonmn wh almos 250,000 uss and an ll you qu songly UGLy
dd no wok wll.
jo
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
_____
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 4:33 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
I hough h ugly hng (uss no globals, globals no loals, loals
g h pmsson) was bs pa by MS?
-Ba
On F, Sp 26, 2008 a 4:29 PM, jo &l;lsmal@jowa.n&g; wo:
IMO, h UGLyΏ] o wha ls s alld goup sagy n was a
good abl soluon n lag ogs n bak n NT4 days. I s an amp
a a half-bd bwn ols basd and sou basd and n h nd you
h ha a bazllon goups ha ally do nohng o you g ou oo
many pmssons o popl who don' nd hm o boh.
My oall fao sagy n hough s mssng an lmn of
pong s uss go dly no mahn loal goups wh h sous
a load a. oman ll goups a usd fo doman ll sous suh
as FS, o pms, o dsbud SQL apps o oh dsbud yp
hngs. I wan my goups as los o h sous as I an g hm. Usng
mahn loal goups fo you sous on h mahns gs away fom h
okn bloa ssus and also slows down h ssus of... wh h hll
dos hs goup ha pmssons a? You know s only on ha on mahn
so h sop s subsanally dud.
Tha bng sad, h s a hobl na ssu wh pong bak who
has ass o wha whn you us mahn ll goups. Managmn s a fl
mo nold as wll, as by dfaul you ha o onn o h mahn n
quson o mak h modfaons. Som popl also don' know how o
dlga goup managmn on mmb mahns and hnk ha you ha o g
admn ghs ou o manag mmb mahn goups. I ha sn ompans
hough ha ha bul hs hngs gh no h posonng o goup
managmn ools. I aually ha had on a ls of abou 60 apps ha I wan
o buld a soluon fo managng hs mmb mahn goups hough . I
spn a oupl yas abou 6-7 yas ago wokng ou ll asps of wha
I hnk should do, jus nd o spnd h m and buld . Jus baus
h na OS -n of mmb goups o h doman s poo dosn' man
somon ls an' ogh wh an app.
u o h ssus wh mmb loal goups, popl ofn fall bak o s a
sysm of sou basd doman loal goups whh s my sond fao
yp of dploymn wh h uss go dly no doman loal goups and
h doman loal goups h go no mahn loal goups o go sagh
ono h CLs of h objs. I pf h doman loal goups go no
mahn loal goups hough baus maks as fo mgaon no
oh domans/foss .
I aly f ommnd any knd of ol basd sysm wh na goups
baus popl aly dfn o manag h ols poply no h
pmssons ha go bhnd h ols, s a wll hs l knd of fs
n hs ound hol so ls go wh ... Thn popl g ossd no ols
baus hy a los o wha hy nd hough som pnag of h suff
h goup gs ass o sn' ndd by h pson n quson. Is an
80/20 pmssonng sysm and I hnk suy on sous should b
los o 100% n f s had o manan. If h suy on h
sous wasn' mpoan, would jus b s o auhnad uss n
h fs pla.
jo
Ώ] Uss no Globals, Globals no Loals, Loals g h pmsson
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
_____
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of En Hall
Sn: Thusday, Spmb 25, 2008 9:33 PM
To: @mal.ad.og
Subj: [] Goup Bs Pas
Rnly, I ha sn som dsusson abou h mpy fos
omndaon and how ha has hangd sn h WIndows 2000 days.
W a unly xpnng som pagd pool mmoy shoags n ou
Exhang nonmn. Th usag was dmnd ha h ass okn sz
s onsumng mos of h mmoy. W ally lk goups - o h xn ha
s ausng ou mmoy ssus,
Ou goup sagy s o pu uss n doman global goups. Th G
goups a pu no unsal goups. Th UGs a assgnd pmssons.
Somms doman loal goups a usd also. Ths sagy has bn n
pla sn w dsgnd ou Wndows 2000 oy nonmn.
I am wondng f hs s sll h bs mhod of usng goups n a
Wndows 20003 doman. ny un lnks o goup managmn bs pas
would b appad. I am no lookng a managmn ools - w ha oo
many of hos alady. I am lookng a how bs o assgn uss o goups.
W ha an mpy oo wh fou hld aoun domans.
En Hall
| | | |
| Marty1_0
Posts:72
| | 09/30/2008 2:35 AM |
| Thanks boh fo you answs!
Th las pon Jo akls (IT folks shouldn' do sou managmn, bu
h sou own should) s somhng I han' sn mplmnd y,
alhough 's logal! I' sn many ass wh h sou own s
suk whn h ss who has ass o wh h appoal flow o oban
ass sn' wll mplmnd. Boh sulng n popl hang ass who
shouldn' & aound. noh hng I s gulay s o dlga hs
managmn o h fs ln, bu hy also don' ha a lu abou who
nds o g appoal . makng hm "sloppy" on ha ll (no offn
o hm BTW). So ndd h only pop soluon would b dlgag h
sou managmn o h sou own dly and ung off any
naon by IT folks xp podng h plafom.
Wokng wh L goups an ndd b nsng, n n mul doman
nonmns. You an asly ouln h o usag of h goups makng
akng down h sou ghs as .o. walkng hough goups
ndlssly...
1 hng w wll n b abl o pn n any way s h human fao.
Tha w know fo su :-)
Thanks agan fo you houghs/opnons/...
On Tu, Sp 30, 2008 a 6:03 M, jo &l;lsmal@jowa.n&g; wo:
&g; I ag ha a ol basd sysm an wok, podd s don gh. I
&g; han' sn on ally don gh y. No o my dfnon of gh. I
&g; ha sn don gh o oh's dfnon manng h sysm was as
&g; o manag. Bu o m, as o manag sn' h man pon o suy,
&g; s makng su popl only ha ass o wha hy spfally nd and
&g; ol basd sysms aly sm o g h ganulay dfnd o do
&g; poply. You g ols lk aounan dfnd and you wll ha 150
&g; aounans all wh slghly dffn al wold ols. So som of hm
&g; may nd ass o som of h suff h ol gans and som don'.
&g;
&g; Rol basd suy s no h only on ha falls down n mplmnaon
&g; hough. Ths asly happns gulaly n sou basd pmssonng as
&g; wll. Th aa h s ha wh a sou basd pmssonng sysm,
&g; you may ha a fghng han of dggng youslf bak ou f gs bad
&g; and you ha o fgu ou wh all h ass a bng gand and o
&g; whom. If you ha a goup alld aounans and s assgnd pmssons
&g; wlly nlly aoss a muldoman nonmn wll b ough o ak
&g; ha down (spally wh global o unsal goups) han should b o
&g; ak down h pmssons assgnd o h doman mmb loal goup
&g; SHR_PROJECT_FOLERNME.
&g;
&g; s an mnond wha I ommnd on, whn you sa dalng wh
&g; dsbud apps lk , FS, M, Rplad SQL, hn you ally
&g; an' us h doman mmb loal goups baus as an ndad, h SI
&g; has no manng anywh bu on ha sysm.
&g;
&g; Whl I dslk ha doman loal goups bloa h SIs mo han Global
&g; Goups, I lk h da ha h sop of h goup s onsand o ha
&g; on doman sus any usd doman n o ou of h fos, ha jus
&g; maks h akng down of who has ass o wha oo hallngng and
&g; msaks oo oppouns.
&g;
&g; I psonally hnk ha f all oms down o human manual managmn,
&g; you sysm, gadlss of dsgn, wll mos lkly fal o m. Mos IT
&g; dpamns a no ha adaman abou gng hngs gh and don' ha
&g; h mony o mak su hy kp dong hngs gh. I ha sn som
&g; slla dsgns fo pmssonng ha w omplly knokd down and
&g; swd up by a fw admns who go n a huy and sad applyng
&g; nddual us SIs o CLs. Thn monhs la af hy ha addd a fw
&g; hundd popl lk ha, hy sa omplanng abou pfoman assng
&g; h fl sha... wll duh...
&g;
&g; So o go bak o h al quson, whn do h bs pas sa o
&g; bak down? Th answ s h ubquous " dpnds". On a on of hngs
&g; bu no h las of whh s h go n whh h IT goup s un o
&g; b, how good h auomad goup managmn ool s handld. Fo h
&g; mos pa IT folks shouldn' n b managng goup mmbshp, hy don'
&g; know who should and shouldn' b n goups. Tha managmn should b don
&g; by h sou own who knows fo su who should b assng a sou
&g; and ha s bs don by dlgang off ha mmbshp managmn o h
&g; own. IT should jus b makng su sandads a followd and
&g; ang/dlng goups basd on sou posonng/dposonng.
&g;
&g;
&g; --
&g; O'Rlly oy Thd Edon -
&g; hp://www.jowa.n/wn/ad3.hm
&g;
&g;
&g;
&g; ------------------------------
&g; *Fom:* -own@mal.ad.og [malo:
&g; -own@mal.ad.og] *On Bhalf Of *an Holm
&g; *Sn:* Monday, Spmb 29, 2008 3:06 PM
&g; *To:* @mal.ad.og
&g; *Subj:* RE: [] Goup Bs Pas
&g;
&g; I'll ph n h, wh h aly aa ha Jo and I ha slghly
&g; (hough only slghly, I hnk) dgn psps on h ssu.
&g;
&g;
&g;
&g; Th ompans I wok wh (unly angng 12k – 100k uss) and hos
&g; ha I ouh a dalng a *lo *wh goup managmn gh now baus
&g; of h nd o g ahold of managably of suy, onfguaon, .
&g; Goups a a onson omponn of any managmn famwok baus hy
&g; an b usd by so many apps & hnologs (, NTFS, Goup Poly, SCCM…).
&g;
&g;
&g;
&g;
&g; goups and h way hy' usd by som omponns (paulaly LS and
&g; 's bloody okn; and IIS) a poblma. Th a "had lms" (1024
&g; goups n a Kbos PC; HTTP and IIS lms) and 'wokaound-abl' lms
&g; blow ha (200-300 goups, paally spakng, bfo MaxToknSz has o
&g; b asd). Mo poblma (as Jo has pond ou n al nos n
&g; hs had) s h *human* lmn. Jo hghlghs hs ssu, ghly.
&g; If you don' ha a famwok (popl, poss & hnology) o manag
&g; goups ha suppos and nabls and **nfos** you dsgn, wll
&g; fal.
&g;
&g;
&g;
&g; ll ha sad, *s* possbl o 'do gh', n n lag
&g; npss (hough phaps no sup-lag foss, .. 100k+). I' sn
&g; happn and h bnfs ha bn *hug*. On lag (many 10s of
&g; housands uss) nsuan ompany saw managably and omplan of
&g; suy skyok and h dsk bakup ms plumm whn hy mplmnd
&g; ol-basd ass onol. Thy *lo* . Th lns I' had ha
&g; mplmnd oly *lo* . Bu has o b don gh and,
&g; gn h al lmaons of h hnology and h fallbly of humans
&g; and poss, you mgh fnd 's no gh fo som npss.
&g;
&g;
&g;
&g; oupl of nos basd on al poss o hs had. 1) I lk Jo's
&g; "us loal goups" opon *f* you an mak managabl. I wll *no*wok fo plad (by Wndows, .g. FS-R) sous, sn h plad
&g; ops an' f o SIs on h oh sysm; bu *wll* wok wh
&g; sandalon ss and som hd-pay soag nfasuus. 2) Global
&g; goups us h las spa n h okn, and an as h hshold a
&g; whh you mus nas h MaxToknSz. I know on ompany (sngl doman
&g; fos, of ous) ha mgad o an almos nly global goup
&g; mplmnaon fo hs ason. 3) On hng abou Exhang (mnond
&g; al) ha you ally nd o wah ou fo a ophand SIs n CEs.
&g; Th a known ssus abou hs. Whn you g uss pmssons o
&g; shad malboxs, publ folds, ., and hn dl hos uss, h
&g; ophand CE an aus (BIG) poblms. Rol basd managmn of Exhang
&g; sous an b hugly hlpful o aod hs poblm.
&g;
&g;
&g;
&g; I dfnly ommnd adng h om on Goup Managmn and Rol Basd
&g; Managmn n h Wndows dmnsaon Rsou K ha was lasd wh
&g; Wndows S 2008. I's dfnly *no* WS2008 spf.
&g;
&g;
&g;
&g; I'll also do my bs o follow hs had, bu f I dsappa don'
&g; hsa o pok m (dan h a nllm do op-ll-ommal-doman) and
&g; I'll hop bak n.
&g;
&g;
&g;
&g; an
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g; *Fom:* -own@mal.ad.og [malo:
&g; -own@mal.ad.og] *On Bhalf Of *Ba Van dn Wynga
&g; *Sn:* Monday, Spmb 29, 2008 5:39 M
&g; *To:* @mal.ad.og
&g; *Subj:* R: [] Goup Bs Pas
&g;
&g;
&g;
&g; g on h fa a bs pa s a ommndaon... Tha's h
&g; dfnon :-)
&g;
&g; Bu h poblm s ha 's usd as a fn n many ass.
&g;
&g; I would lk o know, n hs paula as, whn you ould agu o no
&g; us h bs pa ommndaon and whh agumns an b usd?
&g;
&g; Ths ally nss m as I somms wok wh popl dong hs suff,
&g; usng MS ommndaons all h way . blng ha "bs pa" s
&g; h "ul" .o. usng as a ommndaon...
&g;
&g;
&g;
&g; Thanks fo you la answ (as always)!
&g;
&g; -Ba
&g;
&g; On Mon, Sp 29, 2008 a 4:20 PM, jo &l;lsmal@jowa.n&g; wo:
&g;
&g; Fo Mom and Pop ys s a ommndd bs pa, o was. Thos a
&g; h bad and bu of h MSFT dploymns and wha MSFT pmaly
&g; ags... Bu sn' aoss h boad fo yon. nd all bs
&g; pas an' "hs s bs fo yon", hy a hs wha w so of
&g; ommnd gn ou xpn fo hs spf ass. I ha smla
&g; ssus wh h 2003 ploymn gud fo dsk layou. Woks wll o a
&g; an sz bu hn jus dosn' mak sns. In fa I on polld 10 MSFT
&g; mploys n dffn aas on f hy would dploy h dsk gudan n
&g; h 2003 ploymn gud. Ou of all of hm, mos of whh all dd
&g; Enps lass wok, hy all soffd a h da. On guy ga h bs
&g; answ of dpnds on h dploymn I am lookng a and my pf oun
&g; ss. Only on MCS guy (and h was band nw n h job only 3 monhs and
&g; sll no al nps xpn) sad ha h would dploy bam
&g; o h ploymn gud.
&g;
&g;
&g;
&g; Is why I spfally alld ou "lag ogs". Th s y ll
&g; gudan fom MSFT fo lag ogs, h da s ha you all n onsulans
&g; who a supposd o know wha hy a dong and hy an wok ou h bs
&g; dploymn opons fo you wh you spf nonmn, onns, and
&g; ssus n mnd. Mos all of my xpn wh MSFT h las 12 yas has
&g; all bn Enps, 35000 bng abou h smalls ompany I ha wokd
&g; wh fo any al amoun of m. Bak on NT4 I was wokng n an
&g; nonmn wh almos 250,000 uss and an ll you qu songly UGLy
&g; dd no wok wll.
&g;
&g;
&g;
&g; jo
&g;
&g;
&g;
&g; --
&g;
&g; O'Rlly oy Thd Edon -
&g; hp://www.jowa.n/wn/ad3.hm
&g;
&g;
&g;
&g;
&g;
&g;
&g; ------------------------------
&g;
&g; *Fom:* -own@mal.ad.og [malo:
&g; -own@mal.ad.og] *On Bhalf Of *Ba Van dn Wynga
&g; *Sn:* Monday, Spmb 29, 2008 4:33 M
&g;
&g;
&g; *To:* @mal.ad.og
&g;
&g; *Subj:* R: [] Goup Bs Pas
&g;
&g; I hough h ugly hng (uss no globals, globals no loals, loals
&g; g h pmsson) was bs pa by MS?
&g;
&g;
&g; -Ba
&g;
&g; On F, Sp 26, 2008 a 4:29 PM, jo &l;lsmal@jowa.n&g; wo:
&g;
&g; IMO, h UGLyΏ] o wha ls s alld goup sagy n was a
&g; good abl soluon n lag ogs n bak n NT4 days. I s an amp
&g; a a half-bd bwn ols basd and sou basd and n h nd you
&g; h ha a bazllon goups ha ally do nohng o you g ou oo
&g; many pmssons o popl who don' nd hm o boh.
&g;
&g;
&g;
&g; My oall fao sagy n hough s mssng an lmn of
&g; pong s uss go dly no mahn loal goups wh h sous
&g; a load a. oman ll goups a usd fo doman ll sous suh
&g; as FS, o pms, o dsbud SQL apps o oh dsbud yp
&g; hngs. I wan my goups as los o h sous as I an g hm. Usng
&g; mahn loal goups fo you sous on h mahns gs away fom h
&g; okn bloa ssus and also slows down h ssus of... wh h hll
&g; dos hs goup ha pmssons a? You know s only on ha on mahn
&g; so h sop s subsanally dud.
&g;
&g;
&g;
&g; Tha bng sad, h s a hobl na ssu wh pong bak who
&g; has ass o wha whn you us mahn ll goups. Managmn s a fl
&g; mo nold as wll, as by dfaul you ha o onn o h mahn n
&g; quson o mak h modfaons. Som popl also don' know how o
&g; dlga goup managmn on mmb mahns and hnk ha you ha o g
&g; admn ghs ou o manag mmb mahn goups. I ha sn ompans
&g; hough ha ha bul hs hngs gh no h posonng o goup
&g; managmn ools. I aually ha had on a ls of abou 60 apps ha I wan
&g; o buld a soluon fo managng hs mmb mahn goups hough . I
&g; spn a oupl yas abou 6-7 yas ago wokng ou ll asps of wha
&g; I hnk should do, jus nd o spnd h m and buld . Jus baus
&g; h na OS -n of mmb goups o h doman s poo dosn' man
&g; somon ls an' ogh wh an app.
&g;
&g;
&g;
&g; u o h ssus wh mmb loal goups, popl ofn fall bak o s a
&g; sysm of sou basd doman loal goups whh s my sond fao
&g; yp of dploymn wh h uss go dly no doman loal goups and
&g; h doman loal goups h go no mahn loal goups o go sagh
&g; ono h CLs of h objs. I pf h doman loal goups go no
&g; mahn loal goups hough baus maks as fo mgaon no
&g; oh domans/foss .
&g;
&g;
&g;
&g; I aly f ommnd any knd of ol basd sysm wh na goups
&g; baus popl aly dfn o manag h ols poply no h
&g; pmssons ha go bhnd h ols, s a wll hs l knd of fs
&g; n hs ound hol so ls go wh ... Thn popl g ossd no ols
&g; baus hy a los o wha hy nd hough som pnag of h suff
&g; h goup gs ass o sn' ndd by h pson n quson. Is an
&g; 80/20 pmssonng sysm and I hnk suy on sous should b
&g; los o 100% n f s had o manan. If h suy on h
&g; sous wasn' mpoan, would jus b s o auhnad uss n
&g; h fs pla.
&g;
&g;
&g;
&g; jo
&g;
&g;
&g;
&g;
&g;
&g; Ώ] Uss no Globals, Globals no Loals, Loals g h pmsson
&g;
&g;
&g;
&g;
&g;
&g; --
&g;
&g; O'Rlly oy Thd Edon -
&g; hp://www.jowa.n/wn/ad3.hm
&g;
&g;
&g;
&g;
&g;
&g;
&g; ------------------------------
&g;
&g; *Fom:* -own@mal.ad.og [malo:
&g; -own@mal.ad.og] *On Bhalf Of *En Hall
&g;
&g; *Sn:* Thusday, Spmb 25, 2008 9:33 PM
&g;
&g;
&g; *To:* @mal.ad.og
&g; *Subj:* [] Goup Bs Pas
&g;
&g;
&g;
&g;
&g;
&g; Rnly, I ha sn som dsusson abou h mpy fos
&g; omndaon and how ha has hangd sn h WIndows 2000 days.
&g;
&g;
&g;
&g; W a unly xpnng som pagd pool mmoy shoags n ou
&g; Exhang nonmn. Th usag was dmnd ha h ass okn sz
&g; s onsumng mos of h mmoy. W ally lk goups - o h xn ha
&g; s ausng ou mmoy ssus,
&g;
&g;
&g;
&g; Ou goup sagy s o pu uss n doman global goups. Th G
&g; goups a pu no unsal goups. Th UGs a assgnd pmssons.
&g; Somms doman loal goups a usd also. Ths sagy has bn n
&g; pla sn w dsgnd ou Wndows 2000 oy nonmn.
&g;
&g;
&g;
&g; I am wondng f hs s sll h bs mhod of usng goups n a
&g; Wndows 20003 doman. ny un lnks o goup managmn bs pas
&g; would b appad. I am no lookng a managmn ools - w ha oo
&g; many of hos alady. I am lookng a how bs o assgn uss o goups.
&g;
&g;
&g;
&g; W ha an mpy oo wh fou hld aoun domans.
&g;
&g;
&g;
&g; En Hall
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
&g;
| | | |
| danholme
Posts:128
| | 09/30/2008 1:12 PM |
| gd aoss h boad.
On Rsou Managmn: Wokng wh a ln oday, n fa, who s
mgang fom Noll o Wndows fl ss, and s dmnd o "do
gh." pa of hs wll b sou CL managmn, whh wll
also b "poxd"-.. admns won' s CLs manually, wll b a
posond poss ha s poxd, so hy an' do h CLng
dly, hus nfong busnss log. Oh majo sps owads
managably nlud:
* Usng Own Rghs (Own Rghs: LLOW: MOIFY) n WS2008
* udng (aud fo SUCCESS fo CHNGE PERMISSIONS)
* oumnng: h "poxy" poss adds h URL o a sou
sud by h goup o h goup's INFO abu
* Sannng oasonally fo anyhng ha slppd hough h
aks
O you an go wh ommal podus ha os a lo bu ally lok
hngs down.
On 'lng h busnss own manag ass' I' aually sn ha
don sal ms o HUGE suss. IT los baus gs hm
ou of h 'mddl' of a sou ass qus and h busnss own
who has o appo anyway. Uss lo baus maks IT mo
spons.
Jo's absoluly gh ha whou dalng wh hs knds of ssus
ousd of goup managmn, you' also no gong o g h.
an
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 8:31 PM
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
Thanks boh fo you answs!
Th las pon Jo akls (IT folks shouldn' do sou managmn,
bu h sou own should) s somhng I han' sn mplmnd
y, alhough 's logal! I' sn many ass wh h sou
own s suk whn h ss who has ass o wh h appoal flow
o oban ass sn' wll mplmnd. Boh sulng n popl hang
ass who shouldn' & aound. noh hng I s gulay s o
dlga hs managmn o h fs ln, bu hy also don' ha a
lu abou who nds o g appoal . makng hm "sloppy" on ha
ll (no offn o hm BTW). So ndd h only pop soluon would
b dlgag h sou managmn o h sou own dly and
ung off any naon by IT folks xp podng h plafom.
Wokng wh L goups an ndd b nsng, n n mul doman
nonmns. You an asly ouln h o usag of h goups
makng akng down h sou ghs as .o. walkng hough
goups ndlssly...
1 hng w wll n b abl o pn n any way s h human fao.
Tha w know fo su :-)
Thanks agan fo you houghs/opnons/...
On Tu, Sp 30, 2008 a 6:03 M, jo &l;lsmal@jowa.n&g; wo:
I ag ha a ol basd sysm an wok, podd s don gh. I
han' sn on ally don gh y. No o my dfnon of gh. I
ha sn don gh o oh's dfnon manng h sysm was
as o manag. Bu o m, as o manag sn' h man pon o
suy, s makng su popl only ha ass o wha hy
spfally nd and ol basd sysms aly sm o g h
ganulay dfnd o do poply. You g ols lk aounan
dfnd and you wll ha 150 aounans all wh slghly dffn
al wold ols. So som of hm may nd ass o som of h suff
h ol gans and som don'.
Rol basd suy s no h only on ha falls down n
mplmnaon hough. Ths asly happns gulaly n sou basd
pmssonng as wll. Th aa h s ha wh a sou basd
pmssonng sysm, you may ha a fghng han of dggng youslf
bak ou f gs bad and you ha o fgu ou wh all h ass
a bng gand and o whom. If you ha a goup alld aounans
and s assgnd pmssons wlly nlly aoss a muldoman
nonmn wll b ough o ak ha down (spally wh
global o unsal goups) han should b o ak down h
pmssons assgnd o h doman mmb loal goup
SHR_PROJECT_FOLERNME.
s an mnond wha I ommnd on, whn you sa dalng wh
dsbud apps lk , FS, M, Rplad SQL, hn you ally
an' us h doman mmb loal goups baus as an ndad, h
SI has no manng anywh bu on ha sysm.
Whl I dslk ha doman loal goups bloa h SIs mo han Global
Goups, I lk h da ha h sop of h goup s onsand o
ha on doman sus any usd doman n o ou of h fos, ha
jus maks h akng down of who has ass o wha oo hallngng
and msaks oo oppouns.
I psonally hnk ha f all oms down o human manual managmn,
you sysm, gadlss of dsgn, wll mos lkly fal o m. Mos
IT dpamns a no ha adaman abou gng hngs gh and don'
ha h mony o mak su hy kp dong hngs gh. I ha sn
som slla dsgns fo pmssonng ha w omplly knokd down
and swd up by a fw admns who go n a huy and sad applyng
nddual us SIs o CLs. Thn monhs la af hy ha addd a
fw hundd popl lk ha, hy sa omplanng abou pfoman
assng h fl sha... wll duh...
So o go bak o h al quson, whn do h bs pas sa
o bak down? Th answ s h ubquous " dpnds". On a on of
hngs bu no h las of whh s h go n whh h IT goup s
un o b, how good h auomad goup managmn ool s handld.
Fo h mos pa IT folks shouldn' n b managng goup mmbshp,
hy don' know who should and shouldn' b n goups. Tha managmn
should b don by h sou own who knows fo su who should b
assng a sou and ha s bs don by dlgang off ha
mmbshp managmn o h own. IT should jus b makng su
sandads a followd and ang/dlng goups basd on sou
posonng/dposonng.
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of an Holm
Sn: Monday, Spmb 29, 2008 3:06 PM
To: @mal.ad.og
Subj: RE: [] Goup Bs Pas
I'll ph n h, wh h aly aa ha Jo and I ha slghly
(hough only slghly, I hnk) dgn psps on h ssu.
Th ompans I wok wh (unly angng 12k - 100k uss) and hos
ha I ouh a dalng a lo wh goup managmn gh now baus
of h nd o g ahold of managably of suy, onfguaon,
. Goups a a onson omponn of any managmn famwok
baus hy an b usd by so many apps & hnologs (, NTFS, Goup
Poly, SCCM...).
goups and h way hy' usd by som omponns (paulaly LS
and 's bloody okn; and IIS) a poblma. Th a "had
lms" (1024 goups n a Kbos PC; HTTP and IIS lms) and
'wokaound-abl' lms blow ha (200-300 goups, paally
spakng, bfo MaxToknSz has o b asd). Mo poblma (as
Jo has pond ou n al nos n hs had) s h human
lmn. Jo hghlghs hs ssu, ghly. If you don' ha a
famwok (popl, poss & hnology) o manag goups ha suppos
and nabls and *nfos* you dsgn, wll fal.
ll ha sad, s possbl o 'do gh', n n lag
npss (hough phaps no sup-lag foss, .. 100k+). I'
sn happn and h bnfs ha bn hug. On lag (many 10s of
housands uss) nsuan ompany saw managably and omplan of
suy skyok and h dsk bakup ms plumm whn hy
mplmnd ol-basd ass onol. Thy lo . Th lns I'
had ha mplmnd oly lo . Bu has o b don gh
and, gn h al lmaons of h hnology and h fallbly of
humans and poss, you mgh fnd 's no gh fo som npss.
oupl of nos basd on al poss o hs had. 1) I lk
Jo's "us loal goups" opon f you an mak managabl. I wll
no wok fo plad (by Wndows, .g. FS-R) sous, sn h
plad ops an' f o SIs on h oh sysm; bu wll
wok wh sandalon ss and som hd-pay soag
nfasuus. 2) Global goups us h las spa n h okn, and
an as h hshold a whh you mus nas h MaxToknSz. I
know on ompany (sngl doman fos, of ous) ha mgad o an
almos nly global goup mplmnaon fo hs ason. 3) On
hng abou Exhang (mnond al) ha you ally nd o wah
ou fo a ophand SIs n CEs. Th a known ssus abou hs.
Whn you g uss pmssons o shad malboxs, publ folds,
., and hn dl hos uss, h ophand CE an aus (BIG)
poblms. Rol basd managmn of Exhang sous an b hugly
hlpful o aod hs poblm.
I dfnly ommnd adng h om on Goup Managmn and Rol
Basd Managmn n h Wndows dmnsaon Rsou K ha was
lasd wh Wndows S 2008. I's dfnly no WS2008 spf.
I'll also do my bs o follow hs had, bu f I dsappa don'
hsa o pok m (dan h a nllm do op-ll-ommal-doman)
and I'll hop bak n.
an
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 5:39 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
g on h fa a bs pa s a ommndaon... Tha's h
dfnon :-)
Bu h poblm s ha 's usd as a fn n many ass.
I would lk o know, n hs paula as, whn you ould agu o
no us h bs pa ommndaon and whh agumns an b
usd?
Ths ally nss m as I somms wok wh popl dong hs
suff, usng MS ommndaons all h way . blng ha "bs
pa" s h "ul" .o. usng as a ommndaon...
Thanks fo you la answ (as always)!
-Ba
On Mon, Sp 29, 2008 a 4:20 PM, jo &l;lsmal@jowa.n&g; wo:
Fo Mom and Pop ys s a ommndd bs pa, o was. Thos a
h bad and bu of h MSFT dploymns and wha MSFT pmaly
ags... Bu sn' aoss h boad fo yon. nd all bs
pas an' "hs s bs fo yon", hy a hs wha w so
of ommnd gn ou xpn fo hs spf ass. I ha
smla ssus wh h 2003 ploymn gud fo dsk layou. Woks
wll o a an sz bu hn jus dosn' mak sns. In fa I on
polld 10 MSFT mploys n dffn aas on f hy would dploy h
dsk gudan n h 2003 ploymn gud. Ou of all of hm, mos
of whh all dd Enps lass wok, hy all soffd a h da.
On guy ga h bs answ of dpnds on h dploymn I am
lookng a and my pf oun ss. Only on MCS guy (and h was band
nw n h job only 3 monhs and sll no al nps xpn)
sad ha h would dploy bam o h ploymn gud.
Is why I spfally alld ou "lag ogs". Th s y ll
gudan fom MSFT fo lag ogs, h da s ha you all n
onsulans who a supposd o know wha hy a dong and hy an
wok ou h bs dploymn opons fo you wh you spf
nonmn, onns, and ssus n mnd. Mos all of my xpn
wh MSFT h las 12 yas has all bn Enps, 35000 bng abou
h smalls ompany I ha wokd wh fo any al amoun of m.
Bak on NT4 I was wokng n an nonmn wh almos 250,000 uss
and an ll you qu songly UGLy dd no wok wll.
jo
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of Ba Van dn
Wynga
Sn: Monday, Spmb 29, 2008 4:33 M
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
I hough h ugly hng (uss no globals, globals no loals,
loals g h pmsson) was bs pa by MS?
-Ba
On F, Sp 26, 2008 a 4:29 PM, jo &l;lsmal@jowa.n&g; wo:
IMO, h UGLyΏ] o wha ls s alld goup sagy n was
a good abl soluon n lag ogs n bak n NT4 days. I s an
amp a a half-bd bwn ols basd and sou basd and n
h nd you h ha a bazllon goups ha ally do nohng o you
g ou oo many pmssons o popl who don' nd hm o boh.
My oall fao sagy n hough s mssng an lmn of
pong s uss go dly no mahn loal goups wh h
sous a load a. oman ll goups a usd fo doman ll
sous suh as FS, o pms, o dsbud SQL apps o oh
dsbud yp hngs. I wan my goups as los o h sous as I
an g hm. Usng mahn loal goups fo you sous on h
mahns gs away fom h okn bloa ssus and also slows down
h ssus of... wh h hll dos hs goup ha pmssons a? You
know s only on ha on mahn so h sop s subsanally
dud.
Tha bng sad, h s a hobl na ssu wh pong bak
who has ass o wha whn you us mahn ll goups. Managmn s
a fl mo nold as wll, as by dfaul you ha o onn o h
mahn n quson o mak h modfaons. Som popl also don'
know how o dlga goup managmn on mmb mahns and hnk ha
you ha o g admn ghs ou o manag mmb mahn goups. I
ha sn ompans hough ha ha bul hs hngs gh no h
posonng o goup managmn ools. I aually ha had on a ls of
abou 60 apps ha I wan o buld a soluon fo managng hs mmb
mahn goups hough . I spn a oupl yas abou 6-7 yas ago
wokng ou ll asps of wha I hnk should do, jus nd o
spnd h m and buld . Jus baus h na OS -n of mmb
goups o h doman s poo dosn' man somon ls an'
ogh wh an app.
u o h ssus wh mmb loal goups, popl ofn fall bak o s
a sysm of sou basd doman loal goups whh s my sond
fao yp of dploymn wh h uss go dly no doman
loal goups and h doman loal goups h go no mahn loal
goups o go sagh ono h CLs of h objs. I pf h doman
loal goups go no mahn loal goups hough baus maks
as fo mgaon no oh domans/foss .
I aly f ommnd any knd of ol basd sysm wh na
goups baus popl aly dfn o manag h ols poply no h
pmssons ha go bhnd h ols, s a wll hs l knd of
fs n hs ound hol so ls go wh ... Thn popl g ossd
no ols baus hy a los o wha hy nd hough som
pnag of h suff h goup gs ass o sn' ndd by h
pson n quson. Is an 80/20 pmssonng sysm and I hnk
suy on sous should b los o 100% n f s had o
manan. If h suy on h sous wasn' mpoan, would
jus b s o auhnad uss n h fs pla.
jo
Ώ] Uss no Globals, Globals no Loals, Loals g h pmsson
--
O'Rlly oy Thd Edon -
hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og
[malo:-own@mal.ad.og] On Bhalf Of En Hall
Sn: Thusday, Spmb 25, 2008 9:33 PM
To: @mal.ad.og
Subj: [] Goup Bs Pas
Rnly, I ha sn som dsusson abou h mpy fos
omndaon and how ha has hangd sn h WIndows 2000 days.
W a unly xpnng som pagd pool mmoy shoags n
ou Exhang nonmn. Th usag was dmnd ha h ass
okn sz s onsumng mos of h mmoy. W ally lk goups - o
h xn ha s ausng ou mmoy ssus,
Ou goup sagy s o pu uss n doman global goups. Th G
goups a pu no unsal goups. Th UGs a assgnd
pmssons. Somms doman loal goups a usd also. Ths
sagy has bn n pla sn w dsgnd ou Wndows 2000
oy nonmn.
I am wondng f hs s sll h bs mhod of usng goups n a
Wndows 20003 doman. ny un lnks o goup managmn bs
pas would b appad. I am no lookng a managmn ools -
w ha oo many of hos alady. I am lookng a how bs o assgn
uss o goups.
W ha an mpy oo wh fou hld aoun domans.
En Hall
| | | |
| GuidoG
Posts:58
| | 09/30/2008 5:58 PM |
| Th had anly shows ha dpndng on you nfasuu qumns, goup managmn s nohng smpl. nd a mul-doman fos bngs s own hallngs wh , manly h nd o ally undsand wha you' dong. Th a nough folks ou h ha ha sll no undsood wha h al dffn s bwn doman loal, global and unsal goups and h bnfs and downsds, sops and sons s fo ah of hs yps. Ofn fogon s h oably asp n as you ha Muphy wokng nx o you - no only fo h goup, bu also fo h mmbs of a goup whn a us s adnally dld .
Mly h fa ha you ha o dffna bwn 6 yps of goups n (LG/GG/UK suy nabld o no) + h loal goups on a sou dosn' mak lf as. Banyan only had on goup-yp. moo pon now - as I don' know a sngl ompany ha sll uns Banyan. Bu anly no baus h goup modl was wak.
I ypally y o smplfy h ma by dung h us of global goups n mul doman nonmns. Eh us LGs o UGs - you an usually ah yhng you nd. Ok - Wn2008 now adds h qumn o us GGs fo managng Fn Gand Passwod Pols - I'd add ha o h xpon ls.
Jo and I ha had a dsagmn on hs fo yas - bu I'd n go as fa as usng UGs wh I an - of ous, af you' swhd o 2003FFL and a usng LVR. No ha hs won' b you soluon f you ha a okn sz ssu, as UGs fom oh domans qu mo spa n you okn (full SI) han GGs o LGs (only so h RI). Bu dos sol h poblm f you wsh o us h sam goup as an Exhang L - hs mus always b a UG and don' n hnk abou nsng GGs no hs UG.
In ssn you won' b abl o mplmn a good soluon whou good posss and sandads. on' mak oo omplx as no on wll b abl o follow h onp and you nd up n a mss la on. on' y o go whou sandads baus h mss of usng all knds of dffn goup yps s n wos.
nd anly go wh h goldn ul: kp smpl.
/Gudo
P.S: 's spally n o wok ou a good goup onp whn folks mga fom Noll - som sll ha a had m o bl ha you an' us an OU o assgn pmssons. Wha a onp. Somms I wsh MSFT had opd mo of h das Noll pu n pla. Took long nough o g h opon o s sbly of fl objs, .. ss Basd Enumaon (BE). Bu don' kp you hops up ha OU's wll b suy pnpals.
Fom: -own@mal.ad.og [malo:-own@mal.ad.og] On Bhalf Of an Holm
Sn: Tusday, Spmb 30, 2008 7:04 PM
To: @mal.ad.og
Subj: RE: [] Goup Bs Pas
gd aoss h boad.
On Rsou Managmn: Wokng wh a ln oday, n fa, who s mgang fom Noll o Wndows fl ss, and s dmnd o "do gh." pa of hs wll b sou CL managmn, whh wll also b "poxd"-.. admns won' s CLs manually, wll b a posond poss ha s poxd, so hy an' do h CLng dly, hus nfong busnss log. Oh majo sps owads managably nlud:
* Usng Own Rghs (Own Rghs: LLOW: MOIFY) n WS2008
* udng (aud fo SUCCESS fo CHNGE PERMISSIONS)
* oumnng: h "poxy" poss adds h URL o a sou sud by h goup o h goup's INFO abu
* Sannng oasonally fo anyhng ha slppd hough h aks
O you an go wh ommal podus ha os a lo bu ally lok hngs down.
On 'lng h busnss own manag ass' I' aually sn ha don sal ms o HUGE suss. IT los baus gs hm ou of h 'mddl' of a sou ass qus and h busnss own who has o appo anyway. Uss lo baus maks IT mo spons.
Jo's absoluly gh ha whou dalng wh hs knds of ssus ousd of goup managmn, you' also no gong o g h.
an
Fom: -own@mal.ad.og [malo:-own@mal.ad.og] On Bhalf Of Ba Van dn Wynga
Sn: Monday, Spmb 29, 2008 8:31 PM
To: @mal.ad.og
Subj: R: [] Goup Bs Pas
Thanks boh fo you answs!
Th las pon Jo akls (IT folks shouldn' do sou managmn, bu h sou own should) s somhng I han' sn mplmnd y, alhough 's logal! I' sn many ass wh h sou own s suk whn h ss who has ass o wh h appoal flow o oban ass sn' wll mplmnd. Boh sulng n popl hang ass who shouldn' & aound. noh hng I s gulay s o dlga hs managmn o h fs ln, bu hy also don' ha a lu abou who nds o g appoal . makng hm "sloppy" on ha ll (no offn o hm BTW). So ndd h only pop soluon would b dlgag h sou managmn o h sou own dly and ung off any naon by IT folks xp podng h plafom.
Wokng wh L goups an ndd b nsng, n n mul doman nonmns. You an asly ouln h o usag of h goups makng akng down h sou ghs as .o. walkng hough goups ndlssly...
1 hng w wll n b abl o pn n any way s h human fao. Tha w know fo su :-)
Thanks agan fo you houghs/opnons/...
On Tu, Sp 30, 2008 a 6:03 M, jo &l;lsmal@jowa.n&l;malo:lsmal@jowa.n&g;&g; wo:
I ag ha a ol basd sysm an wok, podd s don gh. I han' sn on ally don gh y. No o my dfnon of gh. I ha sn don gh o oh's dfnon manng h sysm was as o manag. Bu o m, as o manag sn' h man pon o suy, s makng su popl only ha ass o wha hy spfally nd and ol basd sysms aly sm o g h ganulay dfnd o do poply. You g ols lk aounan dfnd and you wll ha 150 aounans all wh slghly dffn al wold ols. So som of hm may nd ass o som of h suff h ol gans and som don'.
Rol basd suy s no h only on ha falls down n mplmnaon hough. Ths asly happns gulaly n sou basd pmssonng as wll. Th aa h s ha wh a sou basd pmssonng sysm, you may ha a fghng han of dggng youslf bak ou f gs bad and you ha o fgu ou wh all h ass a bng gand and o whom. If you ha a goup alld aounans and s assgnd pmssons wlly nlly aoss a muldoman nonmn wll b ough o ak ha down (spally wh global o unsal goups) han should b o ak down h pmssons assgnd o h doman mmb loal goup SHR_PROJECT_FOLERNME.
s an mnond wha I ommnd on, whn you sa dalng wh dsbud apps lk , FS, M, Rplad SQL, hn you ally an' us h doman mmb loal goups baus as an ndad, h SI has no manng anywh bu on ha sysm.
Whl I dslk ha doman loal goups bloa h SIs mo han Global Goups, I lk h da ha h sop of h goup s onsand o ha on doman sus any usd doman n o ou of h fos, ha jus maks h akng down of who has ass o wha oo hallngng and msaks oo oppouns.
I psonally hnk ha f all oms down o human manual managmn, you sysm, gadlss of dsgn, wll mos lkly fal o m. Mos IT dpamns a no ha adaman abou gng hngs gh and don' ha h mony o mak su hy kp dong hngs gh. I ha sn som slla dsgns fo pmssonng ha w omplly knokd down and swd up by a fw admns who go n a huy and sad applyng nddual us SIs o CLs. Thn monhs la af hy ha addd a fw hundd popl lk ha, hy sa omplanng abou pfoman assng h fl sha... wll duh...
So o go bak o h al quson, whn do h bs pas sa o bak down? Th answ s h ubquous " dpnds". On a on of hngs bu no h las of whh s h go n whh h IT goup s un o b, how good h auomad goup managmn ool s handld. Fo h mos pa IT folks shouldn' n b managng goup mmbshp, hy don' know who should and shouldn' b n goups. Tha managmn should b don by h sou own who knows fo su who should b assng a sou and ha s bs don by dlgang off ha mmbshp managmn o h own. IT should jus b makng su sandads a followd and ang/dlng goups basd on sou posonng/dposonng.
--
O'Rlly oy Thd Edon - hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og&l;malo:-own@mal.ad.og&g; [malo:-own@mal.ad.og&l;malo:-own@mal.ad.og&g;] On Bhalf Of an Holm
Sn: Monday, Spmb 29, 2008 3:06 PM
To: @mal.ad.og&l;malo:@mal.ad.og&g;
Subj: RE: [] Goup Bs Pas
I'll ph n h, wh h aly aa ha Jo and I ha slghly (hough only slghly, I hnk) dgn psps on h ssu.
Th ompans I wok wh (unly angng 12k - 100k uss) and hos ha I ouh a dalng a lo wh goup managmn gh now baus of h nd o g ahold of managably of suy, onfguaon, . Goups a a onson omponn of any managmn famwok baus hy an b usd by so many apps & hnologs (, NTFS, Goup Poly, SCCM...).
goups and h way hy' usd by som omponns (paulaly LS and 's bloody okn; and IIS) a poblma. Th a "had lms" (1024 goups n a Kbos PC; HTTP and IIS lms) and 'wokaound-abl' lms blow ha (200-300 goups, paally spakng, bfo MaxToknSz has o b asd). Mo poblma (as Jo has pond ou n al nos n hs had) s h human lmn. Jo hghlghs hs ssu, ghly. If you don' ha a famwok (popl, poss & hnology) o manag goups ha suppos and nabls and *nfos* you dsgn, wll fal.
ll ha sad, s possbl o 'do gh', n n lag npss (hough phaps no sup-lag foss, .. 100k+). I' sn happn and h bnfs ha bn hug. On lag (many 10s of housands uss) nsuan ompany saw managably and omplan of suy skyok and h dsk bakup ms plumm whn hy mplmnd ol-basd ass onol. Thy lo . Th lns I' had ha mplmnd oly lo . Bu has o b don gh and, gn h al lmaons of h hnology and h fallbly of humans and poss, you mgh fnd 's no gh fo som npss.
oupl of nos basd on al poss o hs had. 1) I lk Jo's "us loal goups" opon f you an mak managabl. I wll no wok fo plad (by Wndows, .g. FS-R) sous, sn h plad ops an' f o SIs on h oh sysm; bu wll wok wh sandalon ss and som hd-pay soag nfasuus. 2) Global goups us h las spa n h okn, and an as h hshold a whh you mus nas h MaxToknSz. I know on ompany (sngl doman fos, of ous) ha mgad o an almos nly global goup mplmnaon fo hs ason. 3) On hng abou Exhang (mnond al) ha you ally nd o wah ou fo a ophand SIs n CEs. Th a known ssus abou hs. Whn you g uss pmssons o shad malboxs, publ folds, ., and hn dl hos uss, h ophand CE an aus (BIG) poblms. Rol basd managmn of Exhang sous an b hugly hlpful o aod hs poblm.
I dfnly ommnd adng h om on Goup Managmn and Rol Basd Managmn n h Wndows dmnsaon Rsou K ha was lasd wh Wndows S 2008. I's dfnly no WS2008 spf.
I'll also do my bs o follow hs had, bu f I dsappa don' hsa o pok m (dan h a nllm do op-ll-ommal-doman) and I'll hop bak n.
an
Fom: -own@mal.ad.og&l;malo:-own@mal.ad.og&g; [malo:-own@mal.ad.og&l;malo:-own@mal.ad.og&g;] On Bhalf Of Ba Van dn Wynga
Sn: Monday, Spmb 29, 2008 5:39 M
To: @mal.ad.og&l;malo:@mal.ad.og&g;
Subj: R: [] Goup Bs Pas
g on h fa a bs pa s a ommndaon... Tha's h dfnon :-)
Bu h poblm s ha 's usd as a fn n many ass.
I would lk o know, n hs paula as, whn you ould agu o no us h bs pa ommndaon and whh agumns an b usd?
Ths ally nss m as I somms wok wh popl dong hs suff, usng MS ommndaons all h way . blng ha "bs pa" s h "ul" .o. usng as a ommndaon...
Thanks fo you la answ (as always)!
-Ba
On Mon, Sp 29, 2008 a 4:20 PM, jo &l;lsmal@jowa.n&l;malo:lsmal@jowa.n&g;&g; wo:
Fo Mom and Pop ys s a ommndd bs pa, o was. Thos a h bad and bu of h MSFT dploymns and wha MSFT pmaly ags... Bu sn' aoss h boad fo yon. nd all bs pas an' "hs s bs fo yon", hy a hs wha w so of ommnd gn ou xpn fo hs spf ass. I ha smla ssus wh h 2003 ploymn gud fo dsk layou. Woks wll o a an sz bu hn jus dosn' mak sns. In fa I on polld 10 MSFT mploys n dffn aas on f hy would dploy h dsk gudan n h 2003 ploymn gud. Ou of all of hm, mos of whh all dd Enps lass wok, hy all soffd a h da. On guy ga h bs answ of dpnds on h dploymn I am lookng a and my pf oun ss. Only on MCS guy (and h was band nw n h job only 3 monhs and sll no al nps xpn) sad ha h would dploy bam o h ploymn gud.
Is why I spfally alld ou "lag ogs". Th s y ll gudan fom MSFT fo lag ogs, h da s ha you all n onsulans who a supposd o know wha hy a dong and hy an wok ou h bs dploymn opons fo you wh you spf nonmn, onns, and ssus n mnd. Mos all of my xpn wh MSFT h las 12 yas has all bn Enps, 35000 bng abou h smalls ompany I ha wokd wh fo any al amoun of m. Bak on NT4 I was wokng n an nonmn wh almos 250,000 uss and an ll you qu songly UGLy dd no wok wll.
jo
--
O'Rlly oy Thd Edon - hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og&l;malo:-own@mal.ad.og&g; [malo:-own@mal.ad.og&l;malo:-own@mal.ad.og&g;] On Bhalf Of Ba Van dn Wynga
Sn: Monday, Spmb 29, 2008 4:33 M
To: @mal.ad.og&l;malo:@mal.ad.og&g;
Subj: R: [] Goup Bs Pas
I hough h ugly hng (uss no globals, globals no loals, loals g h pmsson) was bs pa by MS?
-Ba
On F, Sp 26, 2008 a 4:29 PM, jo &l;lsmal@jowa.n&l;malo:lsmal@jowa.n&g;&g; wo:
IMO, h UGLyΏ] o wha ls s alld goup sagy n was a good abl soluon n lag ogs n bak n NT4 days. I s an amp a a half-bd bwn ols basd and sou basd and n h nd you h ha a bazllon goups ha ally do nohng o you g ou oo many pmssons o popl who don' nd hm o boh.
My oall fao sagy n hough s mssng an lmn of pong s uss go dly no mahn loal goups wh h sous a load a. oman ll goups a usd fo doman ll sous suh as FS, o pms, o dsbud SQL apps o oh dsbud yp hngs. I wan my goups as los o h sous as I an g hm. Usng mahn loal goups fo you sous on h mahns gs away fom h okn bloa ssus and also slows down h ssus of... wh h hll dos hs goup ha pmssons a? You know s only on ha on mahn so h sop s subsanally dud.
Tha bng sad, h s a hobl na ssu wh pong bak who has ass o wha whn you us mahn ll goups. Managmn s a fl mo nold as wll, as by dfaul you ha o onn o h mahn n quson o mak h modfaons. Som popl also don' know how o dlga goup managmn on mmb mahns and hnk ha you ha o g admn ghs ou o manag mmb mahn goups. I ha sn ompans hough ha ha bul hs hngs gh no h posonng o goup managmn ools. I aually ha had on a ls of abou 60 apps ha I wan o buld a soluon fo managng hs mmb mahn goups hough . I spn a oupl yas abou 6-7 yas ago wokng ou ll asps of wha I hnk should do, jus nd o spnd h m and buld . Jus baus h na OS -n of mmb goups o h doman s poo dosn' man somon ls an' ogh wh an app.
u o h ssus wh mmb loal goups, popl ofn fall bak o s a sysm of sou basd doman loal goups whh s my sond fao yp of dploymn wh h uss go dly no doman loal goups and h doman loal goups h go no mahn loal goups o go sagh ono h CLs of h objs. I pf h doman loal goups go no mahn loal goups hough baus maks as fo mgaon no oh domans/foss .
I aly f ommnd any knd of ol basd sysm wh na goups baus popl aly dfn o manag h ols poply no h pmssons ha go bhnd h ols, s a wll hs l knd of fs n hs ound hol so ls go wh ... Thn popl g ossd no ols baus hy a los o wha hy nd hough som pnag of h suff h goup gs ass o sn' ndd by h pson n quson. Is an 80/20 pmssonng sysm and I hnk suy on sous should b los o 100% n f s had o manan. If h suy on h sous wasn' mpoan, would jus b s o auhnad uss n h fs pla.
jo
Ώ] Uss no Globals, Globals no Loals, Loals g h pmsson
--
O'Rlly oy Thd Edon - hp://www.jowa.n/wn/ad3.hm
________________________________
Fom: -own@mal.ad.og&l;malo:-own@mal.ad.og&g; [malo:-own@mal.ad.og&l;malo:-own@mal.ad.og&g;] On Bhalf Of En Hall
Sn: Thusday, Spmb 25, 2008 9:33 PM
To: @mal.ad.og&l;malo:@mal.ad.og&g;
Subj: [] Goup Bs Pas
Rnly, I ha sn som dsusson abou h mpy fos omndaon and how ha has hangd sn h WIndows 2000 days.
W a unly xpnng som pagd pool mmoy shoags n ou Exhang nonmn. Th usag was dmnd ha h ass okn sz s onsumng mos of h mmoy. W ally lk goups - o h xn ha s ausng ou mmoy ssus,
Ou goup sagy s o pu uss n doman global goups. Th G goups a pu no unsal goups. Th UGs a assgnd pmssons. Somms doman loal goups a usd also. Ths sagy has bn n pla sn w dsgnd ou Wndows 2000 oy nonmn.
I am wondng f hs s sll h bs mhod of usng goups n a Wndows 20003 doman. ny un lnks o goup managmn bs pas would b appad. I am no lookng a managmn ools - w ha oo many of hos alady. I am lookng a how bs o assgn uss o goups.
W ha an mpy oo wh fou hld aoun domans.
En Hall
| | | |
| Gil
Posts:77
| | 09/30/2008 6:10 PM |
| Gudo bngs o mnd a quson I' had fo yas (as on of hos who sll oasonally suggls wh h smans of h dffn goup yps .
If h was no okn bloa ssu o oh salably poblms wh goups, why wouldn' you wan a sngl goup yp ha was fos-sbl and ould onan lnks o any obj n h fos? Tha was h STalk modl as Gudo mnond, and anly smd suffn. m I mssng somhng?
-gl
Fom: -own@mal.ad.og [malo:-own@mal.ad.og] On Bhalf Of Gllnm, Gudo
Sn: Tusday, Spmb 30, 2008 12:27 PM
To: @mal.ad.og
Subj: RE: [] Goup Bs Pas
Th had anly shows ha dpndng on you nfasuu qumns, goup managmn s nohng smpl. nd a mul-doman fos bngs s own hallngs wh , manly h nd o ally undsand wha you' dong. Th a nough folks ou h ha ha sll no undsood wha h al dffn s bwn doman loal, global and unsal goups and h bnfs and downsds, sops and sons s fo ah of hs yps. Ofn fogon s h oably asp n as you ha Muphy wokng nx o you - no only fo h goup, bu also fo h mmbs of a goup whn a us s adnally dld .
Mly h fa ha you ha o dffna bwn 6 yps of goups n (LG/GG/UK suy nabld o no) + h loal goups on a sou dosn' mak lf as. Banyan only had on goup-yp. moo pon now - as I don' know a sngl ompany ha sll uns Banyan. Bu anly no baus h goup modl was wak.
I ypally y o smplfy h ma by dung h us of global goups n mul doman nonmns. Eh us LGs o UGs - you an usually ah yhng you nd. Ok - Wn2008 now adds h qumn o us GGs fo managng Fn Gand Passwod Pols - I'd add ha o h xpon ls.
Jo and I ha had a dsagmn on hs fo yas - bu I'd n go as fa as usng UGs wh I an - of ous, af you' swhd o 2003FFL and a usng LVR. No ha hs won' b you soluon f you ha a okn sz ssu, as UGs fom oh domans qu mo spa n you okn (full SI) han GGs o LGs (only so h RI). Bu dos sol h poblm f you wsh o us h sam goup as an Exhang L - hs mus always b a UG and don' n hnk abou nsng GGs no hs UG.
In ssn you won' b abl o mplmn a good soluon whou good posss and sandads. on' mak oo omplx as no on wll b abl o follow h onp and you nd up n a mss la on. on' y o go whou sandads baus h mss of usng all knds of dffn goup yps s n wos.
nd anly go wh h goldn ul: kp smpl.
/Gudo
P.S: 's spally n o wok ou a good goup onp whn folks mga fom Noll - som sll ha a had m o bl ha you an' us an OU o assgn pmssons. Wha a onp. Somms I wsh MSFT had opd mo of h das Noll pu n pla. Took long nough o g h opon o s sbly of fl objs, .. ss Basd Enumaon (BE). Bu don' kp you hops up ha OU's wll b suy pnpals.
Fom: -own@mal.ad.og [malo:-own@mal.ad.og] On Bhalf Of an Holm
Sn: Tusday, Spmb 30, 2008 7:04 PM
To: @mal.ad.og
Subj: RE: [] Goup Bs Pas
gd aoss h boad.
On Rsou Managmn: Wokng wh a ln oday, n fa, who s mgang fom Noll o Wndows fl ss, and s dmnd o "do gh." pa of hs wll b sou CL managmn, whh wll also b "poxd"-.. admns won' s CLs manually, wll b a posond poss ha s poxd, so hy an' do h CLng dly, hus nfong busnss log. Oh majo sps owads managably nlud:
* Usng Own Rghs (Own Rghs: LLOW: MOIFY) n WS2008
* udng (aud fo SUCCESS fo CHNGE PERMISSIONS)
* oumnng: h " |
|
|