Just in Time Administration/PAM Forest

  • 175 Views
  • Last Post 25 May 2016
a-ko posted this 25 May 2016

Reference: https://technet.microsoft.com/en-us/library/mt345568.aspx I’ve been doing some reading on this functionality of Server 2016 and wondering if anyone could explain a bit more of the technical reason why it mentions you need to have a group in the trusted forest (PRIV forest in the guide) that shares a SID with a group in the trusting forest (CORP). Is it purely for compatibility’s sake and there’s no other reason? Or is it a way for the MIM components to correlate the two groups? And if setting up in a new environment, would you use this duplicate SID functionality throughout the design? i.e. use the CORP\Group to assign permissions to resources in CORP domain, and use the New-PAMGroup cmdlet (https://technet.microsoft.com/en-us/library/mt488749.aspx) to create the information in the PRIV domain? -Mike Cramer

Order By: Standard | Newest | Votes
bdesmond posted this 25 May 2016

Mike-

 

The thinking is that you stand up the new PRIV forest but you don’t have to change stuff in your existing legacy “CORP” forest. To do that, you bring the groups over and they keep their SIDs so all your ACLs,

permissions, etc. continue to work.

 

 



Thanks,

Brian Desmond

 

w – 312.625.1438 | c – 312.731.3132



 

show

bdesmond posted this 25 May 2016

Mike-

The thinking is that you stand up the new PRIV forest but you don't have to change stuff in your existing legacy "CORP" forest. To do that, you bring the groups over and they keep their SIDs so all your ACLs, permissions, etc. continue to work.

Thanks,
Brian Desmond

w - 312.625.1438 | c - 312.731.3132

show

tareq posted this 25 May 2016

Is it just us or everyone getting messages sent to the list looking like below? Curious

> On May 25, 2016, at 10:10 AM, Brian Desmond wrote:
>
> X-Microsoft-Antispam-Untrusted: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN1PR01MB134;
> x-microsoft-antispam-prvs:
> x-exchange-antispam-report-test: UriScan:;UriScan:;
> x-exchange-antispam-report-cfa-test:
> BCL:0;PCL:0;RULEID:(6040130)(2401047)(5005006)(8121501046)(10201501046)(3002001)(6041072)(6043046);SRVR:BN1PR01MB134;BCL:0;PCL:0;RULEID:;SRVR:BN1PR01MB134;BCL:0;PCL:0;RULEID:(9101531078)(601004)(2401047)(8121501046)(13018025)(13016025)(13023025)(13024025)(3002001)(10201501046);SRVR:PU1APC01HT256;BCL:0;PCL:0;RULEID:;SRVR:PU1APC01HT256;
> x-forefront-prvs: 09538D3531
> X-Forefront-Antispam-Report-Untrusted: SFV:NSPM;SFS:(10009020)(6009001)(377454003)(3905003)(2501003)(2906002)(54356999)(76176999)(50986999)(5003600100002)(86362001)(5002640100001)(189998001)(3660700001)(92566002)(10400500002)(8676002)(81166006)(87936001)(5008740100001)(1220700001)(74316001)(107886002)(110136002)(6116002)(586003)(102836003)(3846002)(33656002)(31430400001)(8936002)(3280700002)(2351001)(450100001)(19580395003)(11100500001)(122556002)(77096005)(2900100001)(19580405001)(2950100001)(15975445007)(9686002)(5004730100002)(66066001);DIR:OUT;SFP:1101;SCL:1;SRVR:BN1PR01MB134;H:BN1PR01MB136.prod.exchangelabs.com;FPR:;SPF:None;MLV:sfv;LANG:en;
> spamdiagnosticoutput: 1:23
> spamdiagnosticmetadata: NSPM
> Content-Type: text/plain; charset="us-ascii"
> Content-Transfer-Encoding: quoted-printable
> MIME-Version: 1.0
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN1PR01MB134
> Return-Path: brian@xxxxxxxxxxxxxxxx
> X-EOPAttributedMessage: 0
> X-EOPTenantAttributedMessage: 5c400478-69cc-4d49-8320-34f716e11507:0
> X-MS-Exchange-Transport-CrossTenantHeadersStripped: PU1APC01FT004.eop-APC01.prod.protection.outlook.com
> X-MS-Exchange-Transport-CrossTenantHeadersPromoted: PU1APC01FT004.eop-APC01.prod.protection.outlook.com
> X-Forefront-Antispam-Report:
> CIP:65.55.169.54;IPV:NLI;CTRY:US;EFV:NLI;SFV:NSPM;SFS:(6009001)(2980300002)(438002)(3905003)(189002)(377454003)(199003)(586003)(6116002)(8896002)(3846002)(5001970100001)(23726003)(8746002)(5004730100002)(1096003)(92566002)(11100500001)(33656002)(86362001)(102836003)(107886002)(122556002)(8676002)(189998001)(66066001)(5003600100002)(74316001)(97756001)(2351001)(47776003)(50466002)(956001)(106466001)(15975445007)(2950100001)(77096005)(50986999)(54356999)(76176999)(2900100001)(450100001)(22756006)(110136002)(46406003)(10400500002)(5008740100001)(6806005)(19580405001)(9686002)(2501003)(31430400001)(19580395003)(3720700001);DIR:INB;SFP:;SCL:1;SRVR:PU1APC01HT256;H:na01-bl2-obe.outbound.protection.outlook.com;FPR:;SPF:Pass;MLV:sfv;MX:1;A:1;LANG:en;
> X-DkimResult-Test: Passed
> X-Microsoft-Antispam:
> UriScan:;BCL:0;PCL:0;RULEID:(8251501002)(3001016)(71701004);SRVR:PU1APC01HT256;
> X-OriginatorOrg: mail.activedir.org
> X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 May 2016 14:10:12.4431
> (UTC)
> X-MS-Exchange-CrossTenant-Id: 5c400478-69cc-4d49-8320-34f716e11507
> X-MS-Exchange-CrossTenant-FromEntityHeader: Internet
> X-MS-Exchange-Transport-CrossTenantHeadersStamped: PU1APC01HT256
> Precedence: bulk
> Sender: ActiveDir-owner@xxxxxxxxxxxxxxxx
> Reply-To: ActiveDir@xxxxxxxxxxxxxxxx
>
> Mike-
>
> The thinking is that you stand up the new PRIV forest but you don't have to=
> change stuff in your existing legacy "CORP" forest. To do that, you bring =
> the groups over and they keep their SIDs so all your ACLs, permissions, etc=
> . continue to work.
>
> Thanks,
> Brian Desmond
>
> w - 312.625.1438 | c - 312.731.3132
>

show

Anthony.Vandenbossche posted this 25 May 2016

I am receiving these mails as well, it started yesterday. I am not an Exchange Guru so I'm not quite sure what is happening.

Mvg,

Anthony Van den bossche
System Engineer
Anthony.Vandenbossche@xxxxxxxxxxxxxxxx

Direct +32 (0)2 801 54 59
Mobile +32 (0)476 83 80 23


This e-mail message and any attachment are intended for the sole use of the recipient(s) named above and may contain information which is confidential and/or protected by intellectual property rights. Any use of the information contained herein (including, but not limited to, total or partial reproduction, communication or distribution in any form) by other persons than the designated recipient(s) is prohibited. If you have received this e-mail in error, please notify the sender either by telephone (+32 2 801 55 55) or by e-mail and delete the material from any computer. Please note that neither RealDolmen nor the sender accept any responsibility for viruses and it is your responsibility to scan or otherwise check this email and any attachments. RealDolmen is nor responsible for the correct and complete transfer of the contents of the sent e-mail, neither for the receipt on due time.

show

DaveB posted this 25 May 2016

Yes - getting them as well. But not consistently.

Dave

show

K3llybush posted this 25 May 2016

It seems to do it when someone makes a reply to the forum and not the mailing list or (as well) maybe when someone post to the forum instead of emailing the list.

Close