Archive for January, 2013

AGDLP briefly summarizes Microsoft’s recommendations for implementing role based access controls (RBAC) using nested groups in a native-mode Active Directory (AD) domain: User and computer accounts are members of global groups that represent business roles, which are members of domain local groups that describe resource permissions or user rights assignments. 

AGDLP, which stands for Accounts, Global groups, Domain Local groups and Permissions, refers to the practice you use to properly assign permissions to your network resources and utilize groups in such a way that managing those permissions and group memberships is simplified and configured to allow for multiple domain resource access.

AGDLP is applied when planning and implementing the construction of users and groups as well as the setting of NTFS permissions on the resources concerned.”

Using AGDLP allows admins to set up their Windows environments so they can greatly reduce problems related to user account management and permissions management headaches. Yet even those who have gone through MCSE training still fail to use this simple strategy when setting up their strategy for groups and permission assignments.

There have been many times I’ve had to correct my customers’ groups/permissions-related issues because they chose to only use individual accounts, or just Domain Local groups or just Global Groups, when assigning permissions to their resources. Then they add a new domain, create a new resource, add a new user or when someone leaves an organization and is replaced, it becomes a serious nightmare when trying to get the permissions setup properly after those changes have been made.

Using AGDLP gives you the following benefits:

  • You can assign local resource access to users in other domains
  • A user’s access to a resource can be removed, simply by removing their account from the appropriate group.
  • If you set up your permissions properly, when a new user is created, you only need to add them to the appropriate group and their permissions will setup little to no additional work.

Following an AGDLP strategy:

  1. A: Create a user Account(s)
  2. G: Create a global group and add the user account(s) you created in step as members
  3. DL: Create a Domain Local group in the domain that contains the resource you wish to give access to and then add the global group from step 2 as a member of this Domain Local group
  4. P: Assign permissions on the resource using the domain local group created in a step.
Advertisements

Note: Make sure to backup the information of the tasks scheduled.

Symptoms:

–          Error while trying to open the Configured Tasks.

–          Error while trying to access the properties of the tasks.

–          Status message of tasks as: “Could not Start”

–          This normally happens in Microsoft Windows 2003 / 2003 R2

Error

Could_not_start

 

Resolution:

–          Stop the “Task Scheduler “Service.

–          Delete all the files in this path: C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\S- 1 – 5 – 18

–          Restart the Service and check if it works.

–          If not then restart the server.

–          The issue will be resolved.

The WordPress.com stats helper monkeys prepared a 2012 annual report for this blog.

Here’s an excerpt:

19,000 people fit into the new Barclays Center to see Jay-Z perform. This blog was viewed about 92,000 times in 2012. If it were a concert at the Barclays Center, it would take about 5 sold-out performances for that many people to see it.

Click here to see the complete report.