Archived from groups: microsoft.public.win2000.active_directory (
More info?)
I have that book, it's ok - no more no less, but that's just my 2 cents.
Kouti and Seitsonen's book is much better...
Regards,
/Jimmy
--
Jimmy Andersson, Q Advice AB
Microsoft MVP - Directory Services
---------- www.qadvice.com ----------
"ptwilliams" <ptw2001@hotmail.com> wrote in message
news:ufGyRm%23GFHA.3484@TK2MSFTNGP12.phx.gbl...
> If in depth understanding is what you're after, then there's also the
> Resource Kit ;-). It's fatter than most, and quite dry in parts, but
> complemented with Inside... by Kouti and Seitsonen and you've got it
> all...
>
> Herb, Joe, Cary,
>
> Have any of you looked at AD Forestry?
>
>
http
/www.amazon.co.uk/exec/obidos/ASIN/0954421809/ref=pd_sim_b_dp_5/202-4807295-4545454
>
>
> I've heard that it's good, and was hoping one of the guys in work would
> buy
> it so I could have a nose without needing to charge it to my card ;-)
>
>
> --
>
> Paul Williams
>
> http
/www.msresource.net/
> http
/forums.msresource.net/
>
> "Herb Martin" <news@LearnQuick.com> wrote in message
> news:eHiIPc4GFHA.3272@TK2MSFTNGP10.phx.gbl...
> Add Gary Olsen's (New Riders I believe)
> "Active Directory Design and Deployment"
> to the list.
>
> It may actually be the best of the bunch but it
> is very old now so it is mostly about those
> GOOD FUNDAMENTALS that one needs
> and which Joe referenced.
>
>
>
> --
> Herb Martin
>
>
> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> news:ORybGF4GFHA.3876@TK2MSFTNGP14.phx.gbl...
>> Brian, take a look at the following
>>
>> 1. O'Reilly Active Directory, 2e
>> 2. O'Reilly Active Directory Cookbook
>> 3. Addison Wesley Inside Active Directory: A System Administrator's
>> Guide,
> 2e.
>>
>>
>> These are some of the best books out there right now for AD Admin level
> stuff.
>> The first book is a great primer for learning core concepts. The second
> book has
>> a ton of scripts and GUI solutions to various problems. The third book is
> a
>> great in depth book on AD and will teach you probably more than you ever
> want to
>> know.
>>
>> I haven't read #1 though I read the first edition of it. I am sure Robbie
> did a
>> great treatment of it though in the second edition and doubt it is worse
> than it
>> was when I read it. I was a technical reviewer for both #2 and #3 and I
> know the
>> content is great in both of them.
>>
>> The big thing about AD is that it isn't NT. In that, I mean that you
> really
>> didn't need to know too much to run an NT domain, anyone could fire it up
> and it
>> would generally work. However it was extremely limited. AD came along and
>> removed the limitations and gave a lot more flexibility but also added a
> bunch
>> of complexity. In order to do it well, you have to spend a good amount of
> time
>> working on it. I have spent the last 5 years working on it, I didn't get
> to
>> where I am from training and having large IT departments. I simply worked
> with
>> it. In fact, large companies aren't all that great about sending people
>> to
>> training and in the three positions I have held running domains I have
> been one
>> of 3-5 people responsible for domains holding anywhere from 2000-250,000
> users
>> and from 10-400 domain controllers. Not large groups of admins by any
> stretch of
>> the word. It actually forces you to be really good.
>>
>>
>> joe
>>
>>
>> --
>> Joe Richards Microsoft MVP Windows Server Directory Services
>> www.joeware.net
>>
>>
>> Brian wrote:
>> > You know Joe I have many Windows books and have read them but
> unfortunely
>> > they don't go into enough detail about how to correct this issue. I
> wish I
>> > worked for a large company that had training and many IT people but
>> > unfortunely that's not the case. I'm the entire IT department, so it's
> jack
>> > of all trades master of none. I will look at your answer do some more
>> > research after I get back setting up a new domain in remote office and
> see
>> > what I can do. In the mean time you keep being a n expert for us
> "green"
>> > working people. Thanks
>> >
>> > "Joe Richards [MVP]" wrote:
>> >
>> >
>> >>This stuff works as designed, trust me, I have built an enterprise
>> >>class
>> >>directory (>250,000 users) and worked on several other enterprise class
>> >>directories (>100k).
>> >>
>> >>dsacls is a tool in the support tools. If you have them installed you
> should
>> >>simply be able to type
>> >>
>> >>dsacls DN_OF_OBJECT
>> >>
>> >>and it will show you the actual ACL on an AD Object.
>> >>
>> >>
>> >>If you want to quickly check if the adminSDHolder functionality is
> causing
>> >>issues, go grab adfind from my website and run the following command
>> >>
>> >>adfind -default -f samaccountname=userid admincount
>> >>
>> >>If there is a value returned and it isn't 0, that means you are being
> impacted
>> >>by adminSDHolder and you should search google for that term.
>> >>
>> >>Overall you appear to be a very "green" admin and you should buy one or
> more
>> >>books and learn this stuff before you do too much more. You need to get
> a handle
>> >>on the basic concepts and thoughts before you hurt yourself by giving
> too many
>> >>rights in the forest to others.
>> >>
>> >> joe
>> >>
>> >>
>> >>--
>> >>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>www.joeware.net
>> >>
>> >>
>> >>Brian wrote:
>> >>
>> >>>I don't know what an enhanced accouint is. I'm just trying to give a
> user
>> >>>account unlock permission for an OU by making them a member of a
> security
>> >>>group in that OU with permission to unloack accounts. How to do the
> rest of
>> >>>what your writing about I have no idea how to accomplish. How do I
> verify
>> >>>delgation? How do I get DSACLS to run on a specific account? I guess
> it is
>> >>>not possbile to make a sub-administrator, nothing I have done or been
> told
>> >>>has made any difference. The permissions in the security do not seem
> to
>> >>>apply to it's members. Every one will have to full admins unless I
>> >>>can
> make
>> >>>this Windows permissions work as desired.
>> >>>
>> >>>"Joe Richards [MVP]" wrote:
>> >>>
>> >>>
>> >>>
>> >>>>By any chance is the account they are trying to work on another
> enhanced user
>> >>>>account, say an account op or something? If so, look into
> adminSDHolder posts.
>> >>>>If not, look at the ACL with DSACLS and verify the delegation
>> >>>>occurred
> as
>> >>>>expected and if it is correct (should be WP on lockoutTime) then have
> the admin
>> >>>>log off and log on and try again.
>> >>>>
>> >>>> joe
>> >>>>
>> >>>>--
>> >>>>Joe Richards Microsoft MVP Windows Server Directory Services
>> >>>>www.joeware.net
>> >>>>
>> >>>>
>> >>>>Brian wrote:
>> >>>>
>> >>>>
>> >>>>>Thanks I applied both methods on article 279723 plus article 294952
> and still
>> >>>>>no access. The correct permissions are on the security group, the
> user I
>> >>>>>added to the security group still cannot do anything with account
> unlock or
>> >>>>>password reset. Where can I see the effective permissions of the
> user since
>> >>>>>they are a memeber of this security group? The securty group is a
> memeber of
>> >>>>>the built-in Account operators as well. Is there default deny on
> regular
>> >>>>>users accounts that is blocking this? Any help in what this could
>> >>>>>be
> would
>> >>>>>be appreciated. Thanks
>> >>>>>
>> >>>>>"Laura E. Hunter (MVP)" wrote:
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>
>> >>>>>>How to grant help desk personnel the specific right to unlock user
> accounts:
>> >>>>>>http
/support.microsoft.com/?kbid=279723
>> >>>>>>
>> >>>>>>--
>> >>>>>>Laura E. Hunter
>> >>>>>>Microsoft MVP - Windows Server Networking
>> >>>>>>All information provided "AS-IS", no warranties expressed or
> implied.
>> >>>>>>Replies to newsgroup only.
>> >>>>>>"Brian" <Brian@discussions.microsoft.com> wrote in message
>> >>>>>>news:51FD5CA8-A66D-43C7-A57C-B85BF1F15FCA@microsoft.com...
>> >>>>>>
>> >>>>>>
>> >>>>>>
>> >>>>>>>What permissions are necessary for a user to be able to unlock an
> account
>> >>>>>>>or
>> >>>>>>>reset a password. I have an MMC created for user to reset
> passwords (will
>> >>>>>>>this fix an account lockout?) in an OU. I have the user added to
>> >>>>>>>a
> admin
>> >>>>>>>group I created for the OU. I continued to get access denised
>> >>>>>>>when
> try to
>> >>>>>>>reset password. What permissions are necessary and where to
>> >>>>>>>access
> them
>> >>>>>>>as
>> >>>>>>>the enterprose admin. Does password reset unlock an account or is
> that
>> >>>>>>>seperate permissions? Thanks
>> >>>>>>
>> >>>>>>
>> >>>>>>
>
>
>
Facebook
Twitter