As I said previously my labs were a success, still I wasn’t able to answer some questions and promised to answer them later. the time has come for the first of them. One of the visitors told me that he had had an experience when some of files’ attributes wouldn’t replicate over DFSR and asked me if there is any problem with DAC in the same situation. I could definitely experiment myself (and I will), but any experiment of mine would just give me an answer: “yes” or “no”. Or “may be” for that matter. It wouldn’t explain why. As … Continue reading #RuTeched: answering the questions. Does the Dynamic Access Control work over replication?
You know, as an IT Pro I often meet some persistent myths about OS, protocols or whatever else. Sometimes these encounters become sooo frequent, that explaining these wrongs just bore me to death. What’s even more amazing: these wrongs are explained usually on so many blogs, pages and other places that… Well, anyway, probably some people who know people who read my blog don’t read those blogs and pages, therefore I’ll try to show some more of these mistakes. Let’s begin from the very basic, but one of the most frequent mistakes about Group Policy. Yeah, the one which is … Continue reading Myths #1: Number of previous logons to cache
Do you know at which moment exactly does your GPO apply really? When you switch the radio button to “Enabled”? Or when you close a GPO console? I’ve been wondering about it for some time (but of course I was to lazy to test it myself 😉 ), but some time ago, while being on a training I asked a trainer and we conducted experiment on spot, because he didn’t know it either. During the experiment we got proof that the settings you change are implemented as soon as you press the “OK” or “Apply” button with this particular setting. … Continue reading Press a button–get the result
The task is obviously necessary to complete on your way to implementing Role-Based Administration concept. And, to be honest, being in euphoria after quick acquaintance with AGPM I thought that it was no deal at all: give an account or a group a membership in some special groups including “Group Policy Creator Owners” and voila – you’ve got it. Aha. Like hell it can succeed! =) This darn group is global and thus cannot be populated with objects from other domains. And moreover, you are unable to change the fact: everything is dimmed. At least I don’t know a way … Continue reading Delegate permissions for creating GPO objects in other domain
Once I got a request ticket from one of our administrators whom are delegated some permissions in their parts of AD to. The person told me that he didn’t have permissions for some accounts. Well, no problem: I investigated the issue, found that the inheritance on that record was broken and I fixed it – one checkbox and “OK” button – big deal! The next day I received another request… for the same person. The inheritance was broken again! Ok, I’m not a newbie, I even know something about adminCount, adminSDHolder and SDProp. So I went and checked if the … Continue reading The case of jammed permissions
Returning to the question of AD attributes change tools I should go on for some more graphical tools. From now on I know only some self-created possibilities, which require some coding. First is to create some Custom GUI Application There are multitudes of variants: C#, VBScript, C, you name it. Being somewhat lazy, I decided to take a short cut. In a beautiful book from Windows 2008 resource kit, namely: Windows Administration Resource Kit, there are some useful additions. Among them there is an .HTA script, named “Object_Attribute_EmployeeNumber.hta”. It allows me to show EmployeeNumber attribute and set it. As we … Continue reading How to change attribute in AD: alternatives #2
After my post on delegation and filtered attributes I got a question about more convenient means of editing an attribute (say, employeeID) than Attribute Editor in ADUC. Well, let me enumerate everything I can suggest from tools for the task. ADUC It is the most common tool for the single attribute change. Just launch Active Directory Users And Computers, check that Advanced Features are on: Then find your object and open its properties, select Attribute Editor tab and find your attribute: Drawbacks of the method: You need to find the object in AD tree, else you won’t be able to … Continue reading How to change attribute in AD: alternatives