Collapsing empty root forests to a single domain

  • 1.9K Views
  • Last Post 28 August 2007
listmail posted this 11 August 2007

Hello my activedir.org list denizens... How are you all. Again sorry for
being dark lately, tons of stuff going on, not the least of which I just
bought a new house "in the country"[1] with 12 acres, pole barn bigger than
my current house, nice big pond, and horse stalls (Where else would I park
my Mustang right?) and that paperwork and discovery is obviously consuming a
good amount of my time and not to mention work... On the positive side, I
know my good friend Eric Fleischman will be happy to stop by weekly to mow
it all for me because he absolutely loves doing yard work. By the way ~Eric,
that acreage is a little over half a million square feet. The front yard is
only about 350'x350' or about 20% of it. You should easily be able to push
through that in an hour or so right? Don't forget to bring your weed
whipper. Oh and a chain saw, lots of trees from the 400 feet to 1600 feet
deep area that need some trimming. :)
So... On with the show...

How many people out there have an empty root forest design with a single
resource forest and did it back in the early 2000-2004 time frame because
someone (Microsoft or other) said it was the best practice to deploy that
way for security or isolation reasons? Raise your hand. Higher. Cough.
Louder. 1....2.....3....4....5.... ;o)

Ok the reason I ask this is that I am constantly running into this in
customer locations lately and everyone wants to collapse into a single
domain, but the resource domain has everything, the root has nothing, and
the work effort to move from the resource to the root is so overwhelming or
scary no one is ever really going to take the time and effort to do it. The
only time they really consider it is if they are looking at moving to a
whole new forest entirely already for some other reason.

So... With that being said, how many people would just love MSFT for nearly
ever if they came up with a mechanism to allow you to collapse your empty
root forest down into the resource domain. You don't migrate the resource
stuff into the root and collapse, you just dump the root and keep moving
along. Some mechanism that really works well and doesn't have you as scared
as say maybe a domain rename.

I realize this will have impact on MSFT and third party apps that store
config info that they should be looking up, etc. But what, in general do
people think of this idea.

What I don't really care to see is MSFT or others just outright say, that
will never happen. Lets see first how many people think this would be useful
for them and then maybe see if it gets any traction. I know a lot of the
MSFT people and so do many of you on this list, they are scary smart for the
most part and like they say about perl, they make the difficult easy and the
impossible merely difficult.

FYI: I BCC'ed several of my MSFT friends so I am not blind siding them with
this.
joe

[1] Really it is about 3 miles from suburban civilization which is very
cool. I could go from feeding goats to looking at flat panel TVs in a Best
Buy or Circuit City in about 10 minutes.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm

show

Order By: Standard | Newest | Votes
kamleshap posted this 11 August 2007

Count us in (4 such clients).. does it count as 4 hands up. :-)Also make it less scary to rename domains.On 8/11/07, joe <
listmail@joeware.net> wrote:Hello my activedir.org
list denizens... How are you all. Again sorry forbeing dark lately, tons of stuff going on, not the least of which I justbought a new house "in the country"[1] with 12 acres, pole barn bigger than
my current house, nice big pond, and horse stalls (Where else would I parkmy Mustang right?) and that paperwork and discovery is obviously consuming agood amount of my time and not to mention work... On the positive side, I
know my good friend Eric Fleischman will be happy to stop by weekly to mowit all for me because he absolutely loves doing yard work. By the way ~Eric,that acreage is a little over half a million square feet. The front yard is
only about 350'x350' or about 20% of it. You should easily be able to pushthrough that in an hour or so right? Don't forget to bring your weedwhipper. Oh and a chain saw, lots of trees from the 400 feet to 1600 feet
deep area that need some trimming. :)So... On with the show...How many people out there have an empty root forest design with a singleresource forest and did it back in the early 2000-2004 time frame because
someone (Microsoft or other) said it was the best practice to deploy thatway for security or isolation reasons? Raise your hand. Higher. Cough.Louder. 1....2.....3....4....5.... ;o)Ok the reason I ask this is that I am constantly running into this in
customer locations lately and everyone wants to collapse into a singledomain, but the resource domain has everything, the root has nothing, andthe work effort to move from the resource to the root is so overwhelming or
scary no one is ever really going to take the time and effort to do it. Theonly time they really consider it is if they are looking at moving to awhole new forest entirely already for some other reason.
So... With that being said, how many people would just love MSFT for nearlyever if they came up with a mechanism to allow you to collapse your emptyroot forest down into the resource domain. You don't migrate the resource
stuff into the root and collapse, you just dump the root and keep movingalong. Some mechanism that really works well and doesn't have you as scaredas say maybe a domain rename.I realize this will have impact on MSFT and third party apps that store
config info that they should be looking up, etc. But what, in general dopeople think of this idea.What I don't really care to see is MSFT or others just outright say, thatwill never happen. Lets see first how many people think this would be useful
for them and then maybe see if it gets any traction. I know a lot of theMSFT people and so do many of you on this list, they are scary smart for themost part and like they say about perl, they make the difficult easy and the
impossible merely difficult.FYI: I BCC'ed several of my MSFT friends so I am not blind siding them withthis. joe[1] Really it is about 3 miles from suburban civilization which is very
cool. I could go from feeding goats to looking at flat panel TVs in a BestBuy or Circuit City in about 10 minutes.--O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htmList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ma/default.aspx-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~You teach best what you most need to learn.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

ZJORZ posted this 11 August 2007

I can't hear you!!!! ;-)

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

laurahcomputing posted this 11 August 2007

For an organization that has an empty root for the sole purpose of
housing a single child domain underneath of it, I'd love to see
something like that.

It becomes less practical when there are multiple child domains
involved, obviously, but that wasn't the question you asked so I
digress. :-)

(Congratulations on the purchase, I want to see pictures!)

show

acmaurer posted this 11 August 2007

Although I avoided it in 2000, I couldn't talk a divestiture's IT team
out of it. As the practice has (almost) fallen by the wayside, though,
I wonder whether it's worth the effort. Hopefully your poll will give
some idea of the numbers out there.

Al

joe wrote:
> Hello my activedir.org list denizens... How are you all. Again sorry for
> being dark lately, tons of stuff going on, not the least of which I just
> bought a new house "in the country"[1] with 12 acres, pole barn bigger than
> my current house, nice big pond, and horse stalls (Where else would I park
> my Mustang right?) and that paperwork and discovery is obviously consuming a
> good amount of my time and not to mention work... On the positive side, I
> know my good friend Eric Fleischman will be happy to stop by weekly to mow
> it all for me because he absolutely loves doing yard work. By the way ~Eric,
> that acreage is a little over half a million square feet. The front yard is
> only about 350'x350' or about 20% of it. You should easily be able to push
> through that in an hour or so right? Don't forget to bring your weed
> whipper. Oh and a chain saw, lots of trees from the 400 feet to 1600 feet
> deep area that need some trimming. :)
>
>
> So... On with the show...
>
> How many people out there have an empty root forest design with a single
> resource forest and did it back in the early 2000-2004 time frame because
> someone (Microsoft or other) said it was the best practice to deploy that
> way for security or isolation reasons? Raise your hand. Higher. Cough.
> Louder. 1....2.....3....4....5.... ;o)
>
> Ok the reason I ask this is that I am constantly running into this in
> customer locations lately and everyone wants to collapse into a single
> domain, but the resource domain has everything, the root has nothing, and
> the work effort to move from the resource to the root is so overwhelming or
> scary no one is ever really going to take the time and effort to do it. The
> only time they really consider it is if they are looking at moving to a
> whole new forest entirely already for some other reason.
>
> So... With that being said, how many people would just love MSFT for nearly
> ever if they came up with a mechanism to allow you to collapse your empty
> root forest down into the resource domain. You don't migrate the resource
> stuff into the root and collapse, you just dump the root and keep moving
> along. Some mechanism that really works well and doesn't have you as scared
> as say maybe a domain rename.
>
> I realize this will have impact on MSFT and third party apps that store
> config info that they should be looking up, etc. But what, in general do
> people think of this idea.
>
> What I don't really care to see is MSFT or others just outright say, that
> will never happen. Lets see first how many people think this would be useful
> for them and then maybe see if it gets any traction. I know a lot of the
> MSFT people and so do many of you on this list, they are scary smart for the
> most part and like they say about perl, they make the difficult easy and the
> impossible merely difficult.
>
> FYI: I BCC'ed several of my MSFT friends so I am not blind siding them with
> this.
>
>
> joe
>
>
>
> [1] Really it is about 3 miles from suburban civilization which is very
> cool. I could go from feeding goats to looking at flat panel TVs in a Best
> Buy or Circuit City in about 10 minutes.
>
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>

show

ZJORZ posted this 11 August 2007

Clients that started out with W2K most of times have one of the following structures:

(1) Empty Forest root with a child
(2) Empty Forest root with a tree root

It is not only that companies would love to "loose" the empty forest root, but they sometimes are also interested in keeping their domain name that they have chosen for either the child of the tree root. This is especially true for the environments with the tree root scenario.

Basically you are asking MS to enhance the Domain rename/repositioning strategy. Within a forest you can rename every domain. Within a forest you can reposition every domain, except the forest root. Would it be cool to be able to reposition the forest root? Heck yes!

Side question: how clients do you see with multiple forests, because the client wants multiple vendors to admin their stuff. "their stuff" is most cases is (1) users, clients, servers, (2) mail services (3) instant messaging services, etc. Looking at this scenario you get three forests. As we all know both exchange and LCS can be separated from AD management. Because it is not possible to technically prevent the AD owners from doing stuff in either exchange or LCS, the vendors say: "I want my own forest, because blabla security boundary stuff blablabla". The fun part is that the vendor demands/asks it, but the client is the one paying for that stuff....

Met vriendelijke groeten / Kind regards,
Ing. Jorge de Almeida Pinto
Senior Infrastructure Consultant
MVP Windows Server - Directory Services

LogicaCMG Nederland B.V. (BU ISA Eindhoven)
( Tel : +31-(0)40-29.57.777
( Mobile : +31-(0)6-26.26.62.80
* E-mail :

show

joe posted this 11 August 2007

Welcome back and congrats on your new purchase. My sister has a similar
type of property and likes it a lot. I think the general recommendation is
that you purchase this specific kind of small tractor instead of a riding
lawn mower as it is more durable and flexible than the riding mower. I'll
try to get more details. :)

Anyway, as a person who works at a company with such a design and no
practical way to undo it, I would applaud this suggestion. Make it so! :)

Joe K.

show

amulnick posted this 12 August 2007

I think that's just it, it's not worth the current level of effort.
I'd love to see the strategy revisited for domain rename/collapse. It
would be helpful not just here, but in other aspects as well such as
other collapsing. Since the domain is not a security boundary, it
should be a possibility that would reduce the domain to what it really
has become - a name vs. a security boundary.

joe, Best Buy does not indicate civilization. As anyone who lives in
America will tell you (North America) a Walmart in your neighborhood
is the signal that you are now in a civilized area. I'd think such a
well travelled individual as yourself would know that by now. Even one
who is fast becoming a goat... anyway, congrats on the purchase. If
~Eric is unable to help, give a shout. I'm sure we can find somebody
who has a strong back and a weak mind. I may even volunteer :)

Jorge, for those vendors and that analogy, I couldn't agree more.
Multi-forest topologies aren't bad per se, but the reasons they end up
that way can be difficult to understand and even more difficult to
collapse. I don't foresee any solutions coming out that make it easier
to collapse multiforest for that reason. For mergers and divestitures
yes, but for poor strategy I'm not so sure.

show

efleis1 posted this 14 August 2007

Joe, it probably is worth retelling the story so others get the lawn
joke, though it'll never be as good as when I told it for the first time
to you, Laura, Brian, etc. over dinner.

~Eric

show

lists1 posted this 15 August 2007

Go for it - it's yours - you brought it up the first time ;-)

Ulf

show

GuidoG posted this 22 August 2007

Certainly count me in for a few votes on easily collapsing empty root domains - have plenty of customers using this, either because they've used the existing best practices back then themselves for their AD design, or because I told them to do so years ago... :-) Certainly I've no longer recommended it ever since discovering "security boundary" thing in 2002. Only few have been lucky enough to be involved in an acquisition/divestiture, which allowed them to build a new forest (more often they had to be integrated into another not-ideally designed AD forest).

This would not only be cool because it's "nicer" - having the empty root can be a pain in the butt, especially for x-forest auth when you want to use Kerberos, i.e. when you'd need to use a real forest-trust and not merely a normal external trust between the two child domains of two forests with empty roots...

Congrats on your new ranch :-)

/Guido

show

bdesmond posted this 26 August 2007

In k3 you can set the replication scope of particular DNS zones
to be forest wide…

Thanks,

Brian Desmond

brian@briandesmond.com

c - 312.731.3132

show

shoktai posted this 26 August 2007

Hey Joe,I have to raise my hands too. I started a post recently about changing the dns scope of my dns servers ( i am still writing my reply but i have to read the huge amount of info i received) , so the root dns servers can replicate to the entire forest instead of the entire domain. Because we have a setup with a root domain (totally empty) and a child domain. The child domain is a dns delegation of the root domain and it doesn't replicate to the root and vice-versa. Recently, i had to reactivate the trust btw the root and the child and i had to manually change the dns servers in the network properties of my DC to do so. It may sounds obscur and thats why we want to get rid of the root domain.
Now we want to collapse, so we just have one domain. After discussing the problem, we are still thinking rebuilding the whole domain/directory..so if you could provide an alternative solution i would be very interested.
How long such a project could take?2007/8/22, Grillenmeier, Guido :
Certainly count me in for a few votes on easily collapsing empty root domains - have plenty of customers using this, either because they've used the existing best practices back then themselves for their AD design, or because I told them to do so years ago... :-)Certainly I've no longer recommended it ever since discovering "security boundary" thing in 2002.Only few have been lucky enough to be involved in an acquisition/divestiture, which allowed them to build a new forest (more often they had to be integrated into another not-ideally designed AD forest).
This would not only be cool because it's "nicer" - having the empty root can be a pain in the butt, especially for x-forest auth when you want to use Kerberos, i.e. when you'd need to use a real forest-trust and not merely a normal external trust between the two child domains of two forests with empty roots...

show

davyp posted this 27 August 2007

@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Trebuchet MS;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle18 {
FONT-WEIGHT: bold; COLOR: #002060; FONT-FAMILY: "Trebuchet MS","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}






My 5 cents about this one...
I've never actually done any domain renames and
stuff, so im not 100% on this but here's a thought...

SuppposeMS would give us a supported way to
change which domain in the forest is the forest root....

You have an empty
root domain called emptyroot.local
and your main domain is called
mycompany.emptyroot.local.

Add a new domain tree to the forest with one
domain named tempdomain.com
Turn tempdomain.com into the forest
root
Discontinue emptyroot.local, (would this work?) or
rename it and move it out from under mycompany.emptyroot.local before
discontinueing.
Move forest root to
mycompany.emptyroot.local
Discontinue tempdomain.com
And you should end up with one (oddly named) single
domain forest....
Then if you're really eager and you like pain, go
for a domain rename to something sexy :-)

So 2 considerations....
Does anyone have any idea how hard it would be and
what you would need to do to change the forest root domain in a
forest?
Can you move a domain without also moving its child
domains, in other words, delete a "tree root domain" in a tree that is not the
forest root, and can you do that without having to rename it?

Regards,
DavyP

show

dmitrig posted this 27 August 2007

Sorry for the delayed response Joe et al.

I would like to pose a counter-question. Why would you want to collapse
the empty root? Is it really expensive to run it? You are not getting any more
secure. You are losing in delegation capabilities (DA can become EA and SA, if
he wants).

So, why?

show

davyp posted this 27 August 2007

@font-face {
font-family: Wingdings;
}
@font-face {
font-family: Cambria Math;
}
@font-face {
font-family: Calibri;
}
@font-face {
font-family: Tahoma;
}
@font-face {
font-family: Trebuchet MS;
}
@page Section1 {size: 8.5in 11.0in; margin: 1.0in 1.0in 1.0in 1.0in; }
P.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
LI.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
DIV.MsoNormal {
FONT-SIZE: 12pt; MARGIN: 0in 0in 0pt; FONT-FAMILY: "Times New Roman","serif"
}
A:link {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlink {
COLOR: blue; TEXT-DECORATION: underline; mso-style-priority: 99
}
A:visited {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.MsoHyperlinkFollowed {
COLOR: purple; TEXT-DECORATION: underline; mso-style-priority: 99
}
SPAN.gmailquote {
mso-style-name: gmail_quote
}
SPAN.EmailStyle18 {
FONT-WEIGHT: bold; COLOR: #002060; FONT-FAMILY: "Trebuchet MS","sans-serif"; mso-style-type: personal
}
SPAN.EmailStyle20 {
COLOR: #1f497d; FONT-FAMILY: "Calibri","sans-serif"; mso-style-type: personal-reply
}
.MsoChpDefault {
FONT-SIZE: 10pt; mso-style-type: export-only
}
DIV.Section1 {
page: Section1
}
OL {
MARGIN-BOTTOM: 0in
}
UL {
MARGIN-BOTTOM: 0in
}






ok, this is just my opinion, im curious to how the
rest sees this....

I've never had any client where I actually built
one ofthose empty forest roots.... the reason Dimitri gives is a valid
one, butonly if:

There isn't a single domain in your forest for
which you can trust the domain admins, and if you're a domain admin in one of
the domains in the forest, you really don't need enterprise admin or schema
admin to wreak havoc in the forest.
You actually relied on the full "domain admins"
group for delegation....shouldn't delegation models bemore
like grant create user/computer
IN OU...

In good sized environments the domain admin
accounts are holy and it takes a lot of change documentation before you can even
log in with one...

Only other thing I can think of is service
accounts, but how many applications are there that actually NEED to run with
domain adminpriviliges? Most of the time the manual just sais that so they
don't have to bother explaining rights and policies...

Regarding the reason to get rid of these empty
forest roots if you have them....

MS recommends not virtualizing your "key domain
controllers" like GCs, FSMOs and DNS servers....meaning you're probably stuck
with at least 2 physical DCs in that forest root domain untill the end of
time.

This is about the time that early domain controller
hardware is gettingend of life andthe hardware cost alone for
replacing themis enough toget management thinking...add to
that all the licensingof OS, management tools and maintenance on the
licensing. Then there"s patching maintenance, power, cooling...

It's especially the "untill the end of
time"savings thatpresents anice quick win, and that's what
sets it all in motion...

Just my thoughts...
DavyP

show

amulnick posted this 27 August 2007

To add to Davy's thoughts below:
empty root domains provide no or little value to most implementations.
In a day when I need all of the datacenter space and environmentals I
can get, each and every machine puts out heat or sucks up electricity
has to be considered. It's not a free for all as much as it used to be
and although the up front hardware costs are cheap, the rest of it
costs through the nose as Davy alludes to.

Some apps don't play well with the empty root topology - past versions
of Exchange don't do well with multi domain forests or multi-forest
deployments. What do with the domainprep so it won't use the root GC
for example. Sure, it can be made to work with limitations, but let's
face it, the idea was an afterthought for that product group. Other
apps have compromises as well.

In the end, it's added complexity and costs that really have no
return. Empty root topologies should be removed wherever and whenever
possible but currently it is prohibitively expensive to do that in up
front costs. It's also expensive long term if you do not because of
the added maintenance and overhead.

The business case is weak from Microsoft's point of view. "What? put
work into that feature just because it seems like a good idea and
helps people to follow our best practices? What's the impact if we do
nothing?" Truth is, nothing happens. Customers aren't going to ditch
AD if you don't do it. But I for one would send nicer holiday cards
if you did.

Besides, except for legacy issues, is it that hard to do ;) ?
-ajm

show

dmitrig posted this 27 August 2007

Thanks guys for the feedback, I'll wait to see what others say, and then I'll forward this to our mgmt. This is good stuff. To summarize so far:
* added complexity, management and energy costs with negligible return
* these costs will never go away

Answering your questions:
Is it hard? Yes, it is... When we did domain rename in w2k3, we could not touch this part. Well, I guess it depends on which scenarios we want to cover. If we go for small/simple scenarios, to cover 80% of population, then it should be fairly straightforward I think. But the remaining 20%, especially the borderline ones, will be offended... In any case, I'll give it a shot.

Re service accounts running as DA. Man, I would kick such apps out. You are putting your enterprise security into the hands of a software company that was too lazy to enumerate which permissions they need? I guess easier said than done... Even Exchange is guilty (at least for setup).

Thanks,
Dmitri

show

bdesmond posted this 27 August 2007

Re service accounts running as DA. Man, I would kick such apps out. You
> are putting your enterprise security into the hands of a software
> company that was too lazy to enumerate which permissions they need? I
> guess easier said than done... Even Exchange is guilty (at least for
> setup).

2007 has largely rectified this.

Thanks,
Brian Desmond
brian@briandesmond.com

c - 312.731.3132

show

sbradcpa posted this 27 August 2007

Easy to say to kick the apps out.

The person who made the purchasing decision typically is not the uber
geek Joe who asks the right questions. It's the manager level guy who
went to the shindig in Vegas who got the brochures and saw the pie
charts and went "OH we need THIS".

By the time the app comes into the office to be deployed and when you
see what it demands to be loaded... it may be too late and the contract
is signed.

Is it laziness or is it a reaction to the marketplace that hasn't cared
or understood? I'd argue it's a tad of both.

Dmitri Gavrilov wrote:
> Thanks guys for the feedback, I'll wait to see what others say, and then I'll forward this to our mgmt. This is good stuff. To summarize so far:
> * added complexity, management and energy costs with negligible return
> * these costs will never go away
>
> Answering your questions:
> Is it hard? Yes, it is... When we did domain rename in w2k3, we could not touch this part. Well, I guess it depends on which scenarios we want to cover. If we go for small/simple scenarios, to cover 80% of population, then it should be fairly straightforward I think. But the remaining 20%, especially the borderline ones, will be offended... In any case, I'll give it a shot.
>
> Re service accounts running as DA. Man, I would kick such apps out. You are putting your enterprise security into the hands of a software company that was too lazy to enumerate which permissions they need? I guess easier said than done... Even Exchange is guilty (at least for setup).
>
> Thanks,
> Dmitri
>
>

show

dmitrig posted this 28 August 2007

App developer could not care less about auditing. It's the responsibility of those wussy AD admins.
Is this not a part of standard AD curriculum?
(Dean, wink wink)

show

Show More Posts
Close