samba4 has long had support for group policies for any ou.
Just rig it up then run dsa.msc to load the snap-in.
On Mon, Jan 19, 2009 at 12:18 PM, Dustin Puryear <dustin@puryear-it.com> wrote:
> Eh. I agree that Windows has issues, but if you have Windows boxes to
> manage then AD is really the way to go. It can really, really help in
> locking down and controlling your systems via GPOs.
>
> If you don't have Windows boxes to manage then by all means avoid AD.
> There is no reason to run AD just for the directory service.
>
> Ron Johnson wrote:
>>
>> <Sigh>
>>
>> Adware has *nothing* to do with AD.
>>
>> But the man who *wrote* the adware discovered all sorts of flaws
>> *inherent* to Windows. And AD runs on Windows.
>>
>> Spoken another way, the parable of the house built on sand:
>> Matthew 7.24-27
>> The wise man built his house on stone
>> Then a great flood came there, and winds blew there, and fell
>> down upon the house, and it did not fall: truly, it was built on
>> stone
>>
>> Then the foolish man built his house on sand Then it rained, and
>> a flood came there, and winds blew, and fell down upon the
>> house, and the house fell; and its fall was great
>>
>> On 01/15/09 11:11, Dustin Puryear wrote:
>>> I'm still confused. Are you arguing that Windows desktops are insecure?
>>> If so, I generally agree. However, I don't get what adware has to do
>>> with AD.
>>>
>>> Ron Johnson wrote:
>>>> Did you read the article? The section "Can you tell me more about your
>>>> strategies for persistence?" shows that no matter what MSFT does, it
>>>> will always be a big security nightmare.
>>>>
>>>> We then made a bootstrapper, which was a tiny tiny piece of code
>>>> written in Assembler which would decrypt the executable in
>>>> memory, and then just run it. At the same time, we also made a
>>>> virtual process executable. I've never heard of anybody else
>>>> doing this before. Windows has this thing called Create Remote
>>>> Thread. Basically, the semantics of Create Remote Thread are:
>>>> You're a process, I'm a different process. I call you and say
>>>> "Hey! I have this bit of code. I'd really like it if you'd run
>>>> this." You'd say, "Sure," because you're a Windows process–
>>>> you're all hippie-like and free love. Windows processes, by the
>>>> way, are insanely promiscuous. So! We would call a bunch of
>>>> processes, hand them all a gob of code, and they would all run
>>>> it. Each process would all know about two of the other ones.
>>>> This allowed them to set up a ring … mutual support, right?
>>>>
>>>>
>>>> On 01/15/09 10:24, Dustin Puryear wrote:
>>>>> I'm not sure what adware has to do with AD? That's like not running
>>>>> OpenLDAP because of the Morris worm.
>>>>>
>>>>> I would be interested in hearing Shannon's reasons why AD is bad. I'm
>>>>> always interested in hearing the pros and cons of various directory
>>>>> products.
>>>>>
>>>>> Ron Johnson wrote:
>>>>>> On 01/15/09 10:04, Shannon Roddy wrote:
>>>>>>> On Thu, Jan 15, 2009 at 9:45 AM, Dustin Puryear
>>>>>>> <dustin@puryear-it.com>wrote:
>>>>>>>
>>>>>>>> Normally, if a shop is just anti-AD, then I may see something like:
>>>>>>>>
>>>>>>>>
>>>>>>> There are more reasons not to use AD than just being anti-AD.
>>>>>>>
>>>>>> Being pro-security?
>>>>>>
>>>>>> (This, while focused on the desktop, is a pretty damning of Windows.)
>>>>>>
>>>>>> http://philosecurity.org/2009/01/12/interview-with-an-adware-author
>>>>>>
>>>>>> S: In your professional opinion, how can people avoid adware?
>>>>>>
>>>>>> M: Um, run UNIX.
>>
>
> --
> Dustin Puryear
> President and Sr. Consultant
> Puryear Information Technology, LLC
> 225-706-8414 x112
> http://www.puryear-it.com
>
> Author, "Best Practices for Managing Linux and UNIX Servers"
> http://www.puryear-it.com/pubs/linux-unix-best-practices/
>
> ___________________
> Nolug mailing list
> nolug@nolug.org
>
___________________
Nolug mailing list
nolug@nolug.org
Received on 01/19/09
This archive was generated by hypermail 2.2.0 : 02/17/09 EST