I am on a quest to discover what the most stringent AD permissions I can grant to people are and right now I am working through the process of granting the user administration team the right to manage granting the Exchange rights "Send As" and "Full Access" for user mailboxes.
There is a shockingly light amount of information about this on the Internet. The Exchange blogs seem to focus on granting wide and generous permissions.
One thing that makes this a bit more complicated for us is that we have moved our AD administration into Quest ActiveRoles, while our Exchange administration is still in Active Directory.
At this point, the best I have found is that to grant the ability to Send As, the permissions that seem to work is to make the administrator a member of the "Exchange Recipient Administrators" group and to grant that group the "modify permissions" right on the AD user objects.
I have a feeling there is a stricter right that can be applied but I have not found it yet.
I am still on the search for the ability to grant the "full access" rights.... One day!!!
Friday, December 09, 2011
Friday, April 22, 2011
AD FS 2.0: Getting Started
I have started a project to play with AD FS 2.0; and I have discovered that there is not a single book on the topic nor is there a lot of good information on the Web about AD FS, so my adventures in getting started in AD FS have been bumpy to say the least.
The good news, for me, is that a coworker received an invitation to the Microsoft AD FS 2.0 class which was passed on to me. Starting Monday I will get to learn, hopefully in depth, how AD FS 2.0 works and much more detail about it.
My goal is to launch AD FS 2.0 and to write the fable of launching AD FS 2.0 so that people who follow in my footsteps can have a resource for getting started.
What I know so far is that I want to have something that looks like this at the end of the day:
So, check back here to keep track of my AD FS adventures!
The good news, for me, is that a coworker received an invitation to the Microsoft AD FS 2.0 class which was passed on to me. Starting Monday I will get to learn, hopefully in depth, how AD FS 2.0 works and much more detail about it.
My goal is to launch AD FS 2.0 and to write the fable of launching AD FS 2.0 so that people who follow in my footsteps can have a resource for getting started.
What I know so far is that I want to have something that looks like this at the end of the day:
So, check back here to keep track of my AD FS adventures!
Sunday, February 27, 2011
Items of Confusion
In a recent discussion with some other IT people over an issue with a drive that had run out of space I discovered that there is some confusion around what you can actually do with Windows 2003 to expand drives.
After some research (with websites providing both good and bad information) I have come to believe these are the facts:
If you have Windows 2003 install on a machine you can expand or span a volume if:
1) The drive was not a basic partition and was not upgraded from Windows 2000. If the drive started life as a Windows 2003 basic partition you can covert the disk to a dynamic disk and then extend the volume across other drives. However, you cannot do this if the machine was a Windows 2000 server that was upgraded.
2) You can expand a basic partition as long as there is continuous free space. So if you have a C and a D drive on a hard disk and they take up 1/2 of the space and you want to extend the D drive, you can do so as long as the open space is the next available space on the disk.
3) Any drive that started its life as a dynamic volume can be manipulated in any way.
4) If needed, you can convert a dynamic disk to a basic disk; but you will have to blow away all the volumes on that disk. You cannot convert volumes to partitions (that bit is a one way street).
5) Your partition or volume must be NTFS. You just can't roll with FAT.
I have found some articles out there that will tell you that it is not possible to upgrade a basic partition and then expand it. This is true in Windows 2000 and Windows XP. This limitation has been removed in Windows 2003.
The exceptions to this rule are in the cases that you cannot create dynamic drives, which you will find in laptops and removable media. Dynamic drives are just cranky like that.
After some research (with websites providing both good and bad information) I have come to believe these are the facts:
If you have Windows 2003 install on a machine you can expand or span a volume if:
1) The drive was not a basic partition and was not upgraded from Windows 2000. If the drive started life as a Windows 2003 basic partition you can covert the disk to a dynamic disk and then extend the volume across other drives. However, you cannot do this if the machine was a Windows 2000 server that was upgraded.
2) You can expand a basic partition as long as there is continuous free space. So if you have a C and a D drive on a hard disk and they take up 1/2 of the space and you want to extend the D drive, you can do so as long as the open space is the next available space on the disk.
3) Any drive that started its life as a dynamic volume can be manipulated in any way.
4) If needed, you can convert a dynamic disk to a basic disk; but you will have to blow away all the volumes on that disk. You cannot convert volumes to partitions (that bit is a one way street).
5) Your partition or volume must be NTFS. You just can't roll with FAT.
I have found some articles out there that will tell you that it is not possible to upgrade a basic partition and then expand it. This is true in Windows 2000 and Windows XP. This limitation has been removed in Windows 2003.
The exceptions to this rule are in the cases that you cannot create dynamic drives, which you will find in laptops and removable media. Dynamic drives are just cranky like that.
Subscribe to:
Posts (Atom)