tag:blogger.com,1999:blog-5669794173656168105.post4875721612610755129..comments2007-11-01T09:11:38.719-04:00Singlebrook Technology, Inc.http://www.blogger.com/profile/13363962057269850867noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-5669794173656168105.post-61630826009549305562007-11-01T09:11:00.000-04:002007-11-01T09:11:00.000-04:00Nice guide but as you've said, this can be risky. Active Directory is a pretty nice implementation of the directory service but still it is a... mmm how to put it better... a thing that is now very user friendly as its main goal is to be fast and be able to effectively store an overwhelming amount of data regarding the network structure and all the elements registered within the environment. It should provide for the scalability, security, data integrity and compliance. These are the things it manages quite well. We have several sites and we must say that even with a planned replication the environment functions magically. Still it's sometimes very hard to find out what caused the problem even when using the <I>replmon</I> or something of that kind. And you know how hard it becomes to manage it when you need to tweak some security settings there, add an attribute to the schema because an application you need to run requires making changes to the schema. Of course, we know that the golden rule is "make a backup before it's too late". But as it's often the case knowing and doing don't go along for you sometimes. I remember I needed to add security settings for the GPO object and purge some unneeded stuff from Active Directory and I mistakenly applied wrong permissions and deleted wrong GPO so then it was bye-bye Kansas City… Odd thing, I always persuade myself to make backups prior to making changes to Active Directory but this is always all time. You don't have time to make a backup because you or your users need it now. I wish I had a thing that would repair Active Directory security settings automatically. Something like these two watchdog threads in Windows do that prevent you from changing registry parameters in registry. I dreamed to get the functionality that would be a jot closer to what I need. Recently I came across a tool that works like a swiss-army knife for everything about Active Directory. It's <I>Active Administrator from Scriptlogic</I>. I am excited to test it on a more tough setup but after a vigorous testing on my buggy Active Directory that I use to test things in virtual environment I may say that I already love it and especially <A HREF="http://www.scriptlogic.com/active-directory-auditing.asp " REL="nofollow">its audit function</A>. But not only that. As I said, it can monitor security settings and revert any changes made to it always setting back these settings which I defined for them based on my needs. Fantastic. I'll keep working with it more as the tool has pretty long trial period, long enough for me to be able to get some more bucks from our boss and purchase the tool for our guys.Michael Grossmarkhttp://www.blogger.com/profile/08213599689451253095noreply@blogger.com